Overview

• Tenable detailed three related vulnerabilities in Gemini Cloud Assist, the Search Personalization model and the Browsing Tool that enabled indirect prompt injection and data exfiltration.
• Poisoned cloud logs allowed attacker text, including phishing links, to appear in Cloud Assist summaries after being inserted into entries such as User‑Agent headers across multiple GCP services.
• Injected queries placed into a victim’s Chrome search history via malicious JavaScript were processed as trusted context, enabling access to saved information and location data.
• A browsing‑tool technique coerced Gemini into fetching a crafted URL that embedded sensitive data in the request, with the model’s Show thinking output exposing internal browsing API calls used in the process.
• Google applied mitigations after disclosure, including stopping hyperlink rendering in log‑summary responses and adding further hardening, while Tenable urged layered AI defenses and targeted pen testing.