Understanding Indirect Prompt Injection

Before examining the specific vulnerabilities, it's crucial to understand the concept of indirect prompt injection. Unlike traditional attacks that directly compromise systems through code vulnerabilities, indirect prompt injection exploits the way AI systems process and act upon information from various sources.

When an AI tool ingests content from logs, search histories, or web pages, it treats this information as context for generating responses. If attackers can inject malicious instructions into these data sources, the AI may unwittingly execute those instructions—effectively turning the AI assistant into an unwitting accomplice in the attack.

This represents a fundamentally new class of vulnerability. We're not exploiting bugs in code; we're exploiting the very features that make AI useful—its ability to understand natural language, synthesise information from multiple sources, and take actions on behalf of users.

Vulnerability One: Poisoning Cloud Logs

The first attack vector targets Gemini Cloud Assist, a tool designed to help users understand complex logs in the Google Cloud Platform (GCP) by summarising entries and surfacing recommendations. The promise is compelling: rather than manually parsing through thousands of log entries, users can ask Gemini to summarise key events and provide actionable insights.

However, Tenable's researchers discovered they could insert attacker-controlled text into log entries that would subsequently be processed by Cloud Assist. When the tool summarised these poisoned logs, it would unwittingly execute the attacker's embedded instructions.

The proof of concept was alarmingly straightforward. Researchers attacked a mock victim's Cloud Function, sending a prompt injection through the User-Agent header. This malicious input naturally flowed into Cloud Logging. When the simulated victim reviewed logs via Gemini's integration in GCP's Log Explorer, the AI rendered the attacker's message and inserted a phishing link directly into the log summary.

The implications are severe: Any unauthenticated attacker can inject malicious content into GCP logs, either in a targeted manner or by "spraying" all GCP public-facing services. This poisoning could enable attackers to:

• Escalate access privileges through misleading recommendations
• Query sensitive assets by manipulating the AI's understanding of legitimate activities
• Surface incorrect recommendations that lead to security misconfigurations
• Establish persistence by embedding instructions that influence future AI interactions

The attack fundamentally undermines trust in AI-generated summaries. If security teams cannot rely on Gemini's log analysis, they lose a valuable tool for incident response whilst potentially acting on attacker-controlled information.

Vulnerability Two: Manipulating Search History

The second vulnerability targets Gemini's Search Personalisation Model, which contextualises responses based on user search history. This feature is designed to make interactions more relevant by understanding user interests and previous queries.

Tenable's researchers discovered they could inject malicious queries into a user's Chrome search history using JavaScript from a malicious website. When victims visited the attacker's site, the JavaScript would inject crafted search queries into their browsing history. Subsequently, when users interacted with Gemini's Search Personalisation Model, it would process these malicious queries as trusted context.

The attack becomes particularly dangerous because Gemini retains user "memories"—the "Saved Information" feature that helps the AI provide more personalised assistance. The injected queries could access and extract user-specific sensitive data, including:

• Personal information stored in AI memories
• Corporate data the user has previously discussed with Gemini
• Location information
• Patterns of behaviour and interest areas that could inform further attacks

This vulnerability demonstrates a fundamental challenge in AI security: features designed to improve user experience—like memory and personalisation—simultaneously create opportunities for exploitation. The more context an AI maintains, the more valuable it becomes as an attack target.

Vulnerability Three: Weaponising the Browsing Tool

The third attack exploits the Gemini Browsing Tool, which allows the AI to access live web content and generate summaries. This powerful feature enables Gemini to provide up-to-date information beyond its training data.

Tenable discovered they could trick the Browsing Tool into sending sensitive data from victims to attacker-controlled servers by crafting malicious prompts that asked Gemini to "summarise" webpages where the URL included sensitive data in the query string.

The breakthrough came when researchers consulted Gemini's "Show thinking" feature, which revealed the tool's internal browsing API calls. This transparency, intended to help users understand how Gemini works, inadvertently provided attackers with the information needed to craft prompts using Gemini's own browsing language.

The attack creates a side-channel exfiltration vector: sensitive data leaves the victim's environment not through traditional data theft mechanisms, but through the AI assistant's legitimate browsing functionality. Security monitoring systems looking for suspicious data transfers might miss this activity because it appears to be normal AI tool usage.

The Broader Attack Surface

Whilst Tenable focused on three specific vulnerabilities, the researchers warned that the actual attack surface could be far broader, potentially including:

• Cloud infrastructure services: GCP APIs and similar services from other providers
• Enterprise productivity tools: Email clients, document management systems, and collaboration platforms that integrate with Gemini
• Third-party applications: Any apps with embedded Gemini summaries or context ingestion capabilities
• 
  

Each integration point represents a potential vulnerability. As organisations increasingly embed AI capabilities throughout their technology stacks, the number of potential attack vectors multiplies exponentially.

Why AI Security Requires a Paradigm Shift

The Gemini Trifecta demonstrates why traditional security approaches prove insufficient for AI-integrated environments. Several factors make AI security uniquely challenging:

Trust by Design

AI assistants are fundamentally built on trust—they must ingest and process information from various sources to be useful. This trust model creates inherent vulnerabilities because the AI cannot easily distinguish between legitimate context and attacker-controlled content.

Natural Language Complexity

Traditional security tools look for specific patterns of malicious code or behaviour. Prompt injection attacks use natural language that appears innocuous when viewed in isolation. The malicious nature only becomes apparent when the AI processes and acts upon the instructions.

Integration Proliferation

As organisations embed AI capabilities across more systems, the attack surface expands. Each integration creates new data flows and trust relationships that could be exploited.

Feature Tension

Many features that make AI useful—memory, personalisation, web access, tool integration—simultaneously create security vulnerabilities. Securing AI often means constraining the very capabilities that provide value.

Defensive Strategies

Google has now patched these three specific vulnerabilities, but Tenable's recommendations provide valuable guidance for organisations implementing any AI integrations:

Assume Compromise

Security teams must assume that attacker-controlled content will reach AI systems indirectly. This shifts the security model from preventing malicious content ingestion (likely impossible) to safely handling potentially malicious content.

Implement Layered Defences

No single control will provide complete protection. Organisations need multiple layers including:

• Input sanitisation: Removing or neutralising potentially malicious instructions from data before AI processing
• Context validation: Verifying that information sources are legitimate and authorised
• Strict monitoring: Tracking tool executions and data flows initiated by AI systems
• Output filtering: Reviewing AI-generated recommendations before implementation
• Privilege limitation: Restricting what actions AI systems can take on behalf of users

Regular Penetration Testing

Traditional penetration testing focuses on technical vulnerabilities. AI security requires testing for prompt injection resilience—attempting to manipulate AI behaviour through crafted inputs across all integration points.

User Education

Users must understand that AI assistants can be manipulated. Just as security awareness training teaches people to recognise phishing emails, modern training must cover:

• How AI systems can be compromised through indirect means
• The importance of verifying AI recommendations before acting on them
• Warning signs that an AI's responses may have been influenced by attackers
• Proper data handling when working with AI tools

The Transparency Dilemma

Interestingly, the third vulnerability exploited Gemini's "Show thinking" feature—a transparency mechanism designed to help users understand the AI's reasoning process. This creates a dilemma: transparency helps users trust and effectively use AI tools, but it also provides attackers with valuable information about how to manipulate those tools.

This tension between transparency and security will likely become more pronounced as AI systems become more sophisticated and widely deployed. Finding the right balance requires careful consideration of who benefits from transparency and what information truly needs to be exposed.

Looking Forward

The Gemini Trifecta represents an early glimpse into the security challenges of the AI era. As organisations increasingly rely on AI assistants integrated throughout their technology stacks, several trends seem inevitable:

Growing Attack Sophistication: As defenders develop countermeasures, attackers will develop more sophisticated prompt injection techniques and novel exploitation methods.

Expanding Attack Surface: Every new AI integration and capability represents a potential vulnerability requiring security consideration.

Regulatory Response: High-profile AI security incidents will likely prompt regulatory frameworks specifically addressing AI security requirements.

Security Tool Evolution: Traditional security tools will need substantial enhancement to detect and prevent AI-specific attacks.

The Fundamental Challenge

At its core, the Gemini Trifecta highlights a fundamental challenge in AI security: the features that make AI useful—its ability to ingest diverse data sources, maintain context, take actions, and integrate with other tools—are the same features that make it vulnerable to exploitation.



Unlike traditional software vulnerabilities where patches can close security holes without fundamentally changing functionality, addressing AI vulnerabilities often requires constraining the very capabilities that provide value. Balancing security and utility will be an ongoing challenge as AI becomes increasingly embedded in organisational operations.

Practical Recommendations

For organisations currently using or considering AI integrations:

Conduct AI Security Assessments: Evaluate every AI integration for potential prompt injection vectors and data exfiltration risks.

Implement Monitoring: Track AI system behaviour, looking for anomalous patterns that might indicate compromise.

Limit Privileges: Restrict what actions AI systems can take without human approval, particularly for sensitive operations.

Maintain Scepticism: Train teams to verify AI recommendations rather than blindly trusting them.

Stay Informed: AI security is rapidly evolving. Regularly review new vulnerabilities and update defensive measures accordingly.

The Gemini Trifecta serves as a clear warning: AI integrations are not passive productivity tools—they're active components of your attack surface requiring dedicated security attention. Organisations that fail to recognise this reality risk discovering their AI assistants have become unwitting accomplices in their own compromise.

Secure Your AI Integrations Before Attackers Exploit Them

As AI becomes increasingly embedded in business operations, new attack vectors emerge that traditional security tools weren't designed to address. The Gemini Trifecta demonstrates that AI security requires specialised expertise and proactive defence strategies.

At Altiatech, our cybersecurity experts help organisations safely implement AI technologies whilst managing the associated risks. From security assessments to monitoring strategies, we ensure your AI integrations enhance productivity without compromising security.

Don't let AI assistance become an attack vector.

Contact our team for expert guidance:

• Phone: +44 (0)330 332 5482
• Email: innovate@altiatech.com

Secure your AI future with proven cybersecurity expertise.