Google recently addressed a Gemini Enterprise vulnerability that could have been exploited by threat actors to obtain potentially sensitive corporate data, according to AI security firm Noma Security.
Dubbed GeminiJack, the attack method did not require any user interaction. Sending a specially crafted document, calendar invite, or email was enough to exploit the flaw, which Noma described as “an architectural weakness in the way enterprise AI systems interpret information”.
Gemini Enterprise is an agentic platform designed to enable large organizations to automate complex, multi-step business workflows across their entire technology stack.
GeminiJack leveraged the fact that Gemini Enterprise has access to various Google services used by an organization, including Gmail, Docs, Calendar, and other Workspace components.
An attacker could have incorporated hidden prompt injection instructions into a specially crafted email, document, or calendar invitation. The victim would not need to view the malicious asset; instead, the attacker’s commands would be executed by Gemini Enterprise when being asked for information on a related topic.
“An attacker could share a Google Doc including indirect prompt injection about budgets without notification,” Noma explained. “Later, when any employee performed a standard search in Gemini Enterprise, such as ‘show me our budgets’, the AI automatically retrieved the poisoned document and executed the instructions.”
While the employee got the information they requested from Gemini, the AI would be instructed to silently exfiltrate emails, calendar entries, or corporate documents.
The attacker could have, for instance, instructed Gemini to collect all documents containing the words “confidential”, “legal”, “salary”, or “API key”.
According to Noma, the issue was reported to Google in May, and comprehensive mitigations were rolled out in recent weeks.
Google has confirmed to SecurityWeek that Noma’s description of the findings is accurate and that the vulnerability has been mitigated.
Cybersecurity companies regularly discover such indirect prompt injection attacks and demonstrate them against gen-AI products such as Claude, Gemini, and ChatGPT.
Related: AI Systems Vulnerable to Prompt Injection via Image Scaling Attack
Related: WormGPT 4 and KawaiiGPT: New Dark LLMs Boost Cybercrime Automation
Related: SquareX and Perplexity Quarrel Over Alleged Comet Browser Vulnerability
