Google's Gemini AI Suite Hit by 'Trifecta' of Vulnerabilities
Google's Gemini AI assistant suite faced a serious security threat, with three vulnerabilities discovered by Tenable researcher Liv Matan. Dubbed the 'Gemini Trifecta', these flaws allowed attackers to manipulate user data and compromise cloud resources.
The first vulnerability, in Gemini Search Personalization Model, permitted attackers to control Gemini's behavior by manipulating a user's Chrome search history. This led to the leakage of saved information and location data. Meanwhile, a vulnerability in Gemini Browsing Tool allowed direct exfiltration of a user's saved information, with sensitive data sent to an external server.
Attackers employed a two-step process: infiltration and exfiltration. They used stealthy methods for indirect prompt injection, exploiting the Gemini Browsing Tool as a side channel for data exfiltration. Another flaw in Gemini Cloud Assist could have enabled attackers to compromise cloud resources or execute phishing attempts by poisoning log entries with malicious prompts.
Google has successfully addressed all three vulnerabilities. They stopped hyperlinks from rendering in log summaries, rolled back the vulnerable search personalization model, and prevented data exfiltration through the browsing tool during indirect prompt injections. The 'Gemini Trifecta' serves as a stark reminder of the security challenges in AI-driven platforms, highlighting how AI systems can be turned into attack vehicles.
Read also:
- Expanded Criticism of Human Rights Protections - Specialists Criticize Russia's Intensified Crackdown on Virtual Private Networks and Encrypted Applications
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
- Artificial Intelligence's Self-Consumption: The Demise of the Attention Economy
- Auto industry giants Fescaro and TUV Nord team up for cybersecurity certification in automobiles
