Hackers find hidden exploit in Google's Gemini

Published: 1 October 2025
Last updated: 2 October 2025
Gemini AI attack
Image by Cybernews

Three critical flaws in Google’s Gemini could allow attackers to inject prompts and steal user data.

Key takeaways:
  • Researchers found three high-risk “Gemini Trifecta” vulnerabilities that let attackers inject prompts and steal user data.
  • Gemini Cloud Assist could be tricked by malicious log entries to execute unauthorized cloud queries.
  • Search Personalization can be manipulated via a user’s browser history to make Gemini follow attacker-controlled instructions.
  • Gemini’s Browsing Tool was abused to embed and exfiltrate private user data to attacker-controlled servers.
  • Google patched the reported flaws after disclosure, but the issues exposed serious privacy and cloud-security risks.

Cybersecurity researchers have uncovered three high-risk vulnerabilities – dubbed the Gemini Trifecta – in Google’s Gemini AI suite.

ADVERTISEMENT

Researchers from security firm Tenable tested Google’s AI with search-injection attacks, log-to-prompt injection attacks, and exfiltration of the user's saved information and location data.

The vulnerabilities they found exposed users to severe privacy risks. They allowed attackers to hijack cloud services, poison personalized searches, and secretly take over sensitive user data.

“This is a blind spot. We discovered that if an attacker could infiltrate a prompt, they could have been able to instruct Gemini to fetch a malicious URL, embedding user data into that request,” wrote the researchers.

After the findings were disclosed, Google reacted promptly to patch the vulnerabilities.

Gemini’s Cloud Assist could be tricked into executing unauthorized queries

The first vulnerability was found in Gemini Cloud Assist. This tool is designed to help users make sense of complex logs in GCP by summarizing entries and surfacing recommendations. “While evaluating this feature, we noticed something that caught our attention: Gemini wasn't just summarizing metadata; it was pulling directly from raw logs,” explained the researchers.

They successfully added attacker-controlled text into the logs to trick Gemini into executing instructions buried in log content.

Gemini AI vulnerability
Source: Tenable
ADVERTISEMENT

“Typically, passive artifacts could become an active threat vector.”

The vulnerability could be triggered by a victim pressing the “Explain this log entry” button in GCP Log Explorer. The prompt injection hidden inside an HTTP User-Agent header could have tricked the system into executing unauthorized cloud queries.

The researchers shared one impactful attack scenario: inject a prompt instructing Gemini to query all public assets or for IAM misconfigurations, and then create a hyperlink containing this sensitive data.

“Attackers could also 'spray' attacks on all GCP public-facing services to get as much impact as possible rather than a targeted attack,” explained the researchers.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
Gemini AI vulnerability
Source: Tenable

Personalized Gemini search could be exploited by attackers

The second flaw targeted Gemini’s Search Personalization model. This tool tailors answers based on a user’s browsing history. However, the discovered vulnerability showed that the tool could be exploited by attackers.

“This personalization is core to Gemini’s value, but it also means that search queries are, effectively, data that Gemini processes. That led us to a key insight: search history isn't just passive context, it's active input,” noted the researchers.

They also discovered that an attacker could plant instructions that Gemini would later treat as legitimate queries by manipulating a victim's Chrome search history with malicious JavaScript.

ADVERTISEMENT

“We asked: If an attacker could write to a user's browser search history, could that search history be used to control Gemini’s behavior, affecting the Gemini Search Personalization model?”

This exploit allowed the researchers to exfiltrate user-saved information and location data.

Gemini AI vulnerability
Source: Tenable

Gemini’s Browsing Tool sent user data to a malicious server

The third issue affected Gemini’s Browsing Tool. The Gemini Browsing Tool allows the model to access live web content and generate summaries based on that content.

Researchers tried to test whether they could instruct Gemini to send the user’s saved information to an external malicious server.

“AI systems don't just leak through obvious outputs. They can also leak via functionality – especially through tools like Gemini’s Browsing Tool, which enables real-time data fetching from external URLs,” said the researchers.

Gemini AI vulnerability
Source: Tenable

After a couple of attempts, they succeeded in exploiting the tool.

“We were able to exploit the vulnerability by convincing Gemini to use the tool and embed the user’s private data inside a request to a malicious server controlled by us (the attacker).” “We could then silently extract that data on the server side, without needing Gemini to visibly show anything suspicious, such as rendering links or images.”

ADVERTISEMENT

Attackers could have used such indirect prompt injection to force the system to embed private data into outbound requests and transmit it to attacker-controlled servers.

FAQ

What is prompt injection?

Prompt injection is an attack technique where an adversary embeds malicious instructions into data that an AI system treats as input (the “prompt”), tricking the model into executing those instructions or revealing sensitive information; in practice this can mean hiding commands in logs, web content, or other data sources the model reads, causing the model to behave in ways the developer did not intend.

Why is prompt injection dangerous in large AI systems?

Because large models often accept and act on complex natural‑language inputs, any attacker-controlled text that the system treats as part of its prompt can redirect the model’s behavior. e.g., to reveal secrets, perform unauthorized queries, or call external tools. Often it happens without obvious signs to the user.

What is the “Gemini Trifecta”?

The “Gemini Trifecta” is the name given by Tenable researchers to three high‑risk vulnerabilities discovered in Google’s Gemini AI suite that together allowed attackers to inject malicious prompts, manipulate model behavior, and exfiltrate users’ private data.

Why are these Gemini AI vulnerabilities significant?

They highlight how AI tools can turn passive data sources (logs, search history, browsing) into active attack vectors if not secured. This raises broader concerns about AI security, prompt injection, and data privacy in cloud-connected AI services.

What types of data could attackers access?

Attackers could potentially access saved user information, location data, cloud configuration details, and other sensitive content processed by Gemini tools.

What risks did these vulnerabilities pose to users and organizations?

The flaws exposed users to severe privacy and security risks, including:

  • Unauthorized execution of cloud queries and access to sensitive cloud data.
  • Manipulation of personalized search results and AI behavior through browser history.
  • Silent exfiltration of user data via AI tools, without visible signs of compromise.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT