Overview

• Security firm Tenable detailed three now-patched vectors: poisoned GCP logs abused by Gemini Cloud Assist, injected Chrome search history corrupting Search Personalization, and crafted browsing requests that exfiltrated saved information and location via the Browsing Tool.
• Google implemented fixes after disclosure, including stopping hyperlink rendering in log summarization responses and deploying additional hardening to resist prompt-injection attempts.
• The Cloud Assist weakness allowed attacker-written content in log entries to be processed as trusted instructions, creating paths to phishing outputs or sensitive cloud asset queries.
• Researchers showed unauthenticated actors could inject entries into multiple Google Cloud services, enabling broad spray attempts against public-facing endpoints.
• Tenable leveraged Gemini’s “Show thinking” diagnostics to observe internal browsing API calls, informing prompts that caused the Browsing Tool to embed private data in requests to attacker-controlled servers.