Three Critical Flaws Allow Prompt Injection and Data Exfiltration, Now Patched

Cybersecurity researchers have revealed three critical vulnerabilities in Google’s Gemini AI assistant, which have since been addressed by the tech giant. The flaws, collectively named the “Gemini Trifecta,” could have allowed attackers to exploit the AI’s capabilities for data theft and privacy breaches. Tenable security researcher Liv Matan explained that the vulnerabilities affected three distinct components of the Gemini suite, including the Search Personalization Model, Gemini Cloud Assist, and the Gemini Browsing Tool.

One of the most concerning flaws allowed attackers to inject malicious prompts into Gemini Cloud Assist, potentially enabling the retrieval of sensitive data such as IAM misconfigurations or public assets. This could be done by creating a hyperlink that contained the sensitive data, which Gemini could then process without rendering the link. Another vulnerability involved poisoning a user’s browsing history with malicious search queries, which could then be processed by Gemini’s search personalization model to steal private information. The third flaw enabled the exfiltration of user data and location information through the Browsing Tool, potentially without the user’s knowledge.

In response, Google has implemented several security measures, including ceasing to render hyperlinks in log summarization responses and enhancing protections against prompt injection attacks. Matan emphasized that the findings highlight the growing risks associated with AI systems, which can be exploited not just as targets but as tools for cyberattacks. As organizations increasingly adopt AI technologies, the need for robust security protocols and visibility into AI environments has never been more critical.

This revelation comes amid growing concerns about the security of AI systems, with similar issues recently reported in other platforms such as Notion, where attackers used PDFs with hidden text to manipulate AI agents into exfiltrating sensitive data. These incidents underscore the importance of securing AI tools and the environments in which they operate, as the attack surface continues to expand with the integration of AI into various workflows and systems.

Additionally, the report highlights the broader implications for AI security, as the rise of agentic AI systems—those capable of performing complex tasks autonomously—introduces new risks. For example, CodeIntegrity, an agentic security platform, recently detailed a method in which attackers used a Notion AI agent to extract confidential data by embedding hidden instructions in PDF files. This demonstrates how AI systems, when improperly configured or protected, can be exploited in creative and dangerous ways.

Experts warn that as AI becomes more integrated into enterprise environments, security teams must adopt a proactive approach to AI governance, including continuous monitoring, strict access controls, and the implementation of AI-specific security policies. The Gemini Trifecta serves as a stark reminder that AI is not just a tool for innovation but also a potential vector for sophisticated cyber threats.