{"id":5206,"date":"2025-10-06T12:03:50","date_gmt":"2025-10-06T12:03:50","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5206"},"modified":"2025-10-06T12:03:50","modified_gmt":"2025-10-06T12:03:50","slug":"gemini-trifecta-ai-autonomy-without-guardrails-opens-new-attack-surface","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5206","title":{"rendered":"Gemini Trifecta: AI autonomy without guardrails opens new attack surface"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Security researchers at Tenable revealed three distinct vulnerabilities across Gemini\u2019s cloud assist, search optimization, and browsing components.<\/p>\n<p>If exploited, these flaws allow attackers to inject prompts, hijack AI logic, and quietly siphon private user data, even bypassing many of Google\u2019s built-in safeguards. Together, the flaws have been dubbed \u201cGemini Trifecta.\u201d<\/p>\n<p>Itay Ravia, head of Aim Labs, the cybersecurity outfit that first documented a similar <a href=\"https:\/\/www.csoonline.com\/article\/4005965\/first-ever-zero-click-attack-targets-microsoft-365-copilot.html\">EchoLeak zero-click attack<\/a> on Microsoft 365 Copilot, said, \u201cTenable\u2019s Gemini Trifecta reinforces that agents themselves become the attack vehicle once they\u2019re granted too much autonomy without sufficient guardrails. The pattern is clear: logs, search histories, and browsing tools are all active attack surfaces.\u201d<\/p>\n<p>Google has since patched the issue, but researchers emphasized that the episode is a wake-up call for the AI era.<\/p>\n<h2 class=\"wp-block-heading\">Prompt injection in Gemini Cloud Assist and Search<\/h2>\n<p><a href=\"https:\/\/cloud.google.com\/products\/gemini\/cloud-assist\" target=\"_blank\" rel=\"noopener\">Gemini Cloud Assist<\/a> is a feature that helps users summarize and interpret cloud logs (particularly in Google Cloud). Tenable found that this service could be tricked by an attacker to embed specially formatted content, such as through a manipulated HTTP User-Agent header, in a log. The tweaked content then flows into the logs, which Gemini later ingests and summarizes.<\/p>\n<p>In a proof-of-concept (PoC) shared in a <a href=\"https:\/\/www.tenable.com\/blog\/the-trifecta-how-three-new-gemini-vulnerabilities-in-cloud-assist-search-model-and-browsing\" target=\"_blank\" rel=\"noopener\">blog post<\/a>, the researchers sent malicious prompt fragments via the User Agent field to a Cloud Function endpoint. When Gemini later \u201cexplained\u201d the log entry, it included a phish-ready link derived from the crafted input\u2013though the full prompt was hidden behind a collapsed \u201cAdditional prompt details\u201d section.<\/p>\n<p>Because logs are pervasive and are often considered passive artifacts, this effectively turns nearly any public-facing cloud endpoint into an attack surface, researchers noted. The blog post further argued that several other Google Cloud services, including Functions, Run, App Engine, Load Balancing, etc, could be similarly abused if logs are used in AI-assisted summarization.<\/p>\n<p>The second vector exploits Gemini\u2019s search personalization. As Gemini\u2019s Search module uses a user\u2019s past queries as context, an attacker could use JavaScript tricks to insert malicious \u201csearch queries\u201d into a user\u2019s browser history. When Gemini reads that history as context, it treats those injected prompts as legitimate inputs.<\/p>\n<p>\u201cThe underlying issue was the model\u2019s inability to differentiate between legitimate user queries and injected prompts from external sources,\u201d the researchers said. \u201cThe JavaScript trick to inject search history to victims included stopping a redirect to the Google Search API, but waiting long enough to allow it to be logged in the search history and not actually redirecting the page.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Exfiltration via the browsing tool<\/h2>\n<p>Even after prompt injection, the attacker needs a way to pull data out, and that\u2019s what the third flaw affecting the Gemini Browsing Tool allowed. Tenable researchers crafted prompts to trick Gemini to fetch external web content using the Browser Tool, embedding user data into the query string of that request. The outbound HTTP call thereby carried the user\u2019s sensitive data to an attacker-controlled server, without relying on visibly rendered links or markdown tricks.<\/p>\n<p>This finding is notable as Google already <a href=\"https:\/\/support.google.com\/a\/answer\/16479560?hl=en\" target=\"_blank\" rel=\"noopener\">has mitigations<\/a> like suppressing hyperlink rendering or filtering image markdowns. The attack bypassed those UI-level defenses by using Google Browsing Tool invocation as the exfiltration channel.<\/p>\n<p>While Google did not immediately respond to CSO\u2019s request for comment, Tenable said the cloud giant has fixed all of these issues by sanitizing link outputs in Browser Tool and bringing in more structural protections in Gemini Cloud Assist and Search.<\/p>\n<p>Prompt injection attacks have been around since AI first came into play, alongside some other sophisticated ways to subvert these intelligent models, including <a href=\"https:\/\/www.csoonline.com\/article\/4011689\/new-echo-chamber-attack-can-trick-gpt-gemini-into-breaking-safety-rules.html\">EchoChamber<\/a>, EchoLeak, and <a href=\"https:\/\/www.csoonline.com\/article\/4021749\/new-grok-4-ai-breached-within-48-hours-using-whispered-jailbreaks.html\">Crescendo<\/a>.\u00a0 \u201cThese are intrinsic weaknesses in the way today\u2019s agents are built, and we will continue to see them resurface across different platforms until runtime protections are widely deployed,\u201d Ravia noted.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Security researchers at Tenable revealed three distinct vulnerabilities across Gemini\u2019s cloud assist, search optimization, and browsing components. If exploited, these flaws allow attackers to inject prompts, hijack AI logic, and quietly siphon private user data, even bypassing many of Google\u2019s built-in safeguards. Together, the flaws have been dubbed \u201cGemini Trifecta.\u201d Itay Ravia, head of Aim [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5207,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5206","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5206"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5206"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5206\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5207"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}