Cybersecurity researchers have disclosed a trio of now-patched vulnerabilities, collectively called the Gemini Trifecta, that impacted Google’s Gemini AI suite. If exploited, these flaws could have exposed users to privacy breaches and data theft, by turning AI features into attack vectors, rather than just targets. The findings underscore a worrying trend, where sophisticated threat actors, including state-aligned groups, exploit AI integrations to amplify espionage and data exfiltration capabilities.
Tenable researcher Liv Matan, who shared the report with The Hacker News, described three separate weaknesses across Gemini components, each enabling a different class of prompt or search-injection attack. The affected surfaces included Cloud Assist log summarization, the Search Personalization model, and the Browsing Tool, together creating opportunities for attackers to harvest saved user data and precise location information without needing Gemini to render links or images.
One of the flaws was a prompt injection issue in Gemini Cloud Assist, which summarizes raw logs from cloud services. An attacker could hide a malicious prompt in a User-Agent header of an HTTP request, aimed at Cloud Functions, Cloud Run, App Engine, Compute Engine, Cloud Endpoints, and several Google Cloud APIs. Because Cloud Assist can summarize raw logs, an injected prompt inside those logs could be executed, leading to unauthorized queries, or worse, to the disclosure of sensitive configuration and asset details.
A second flaw, a search-injection vulnerability in the Gemini Search Personalization model, could be weaponized by manipulating a victim’s Chrome search history. Using JavaScript on an attacker-controlled page, the adversary could inject crafted search entries that later influence Gemini’s behavior, because the personalization model could not reliably distinguish legitimate user queries from injected prompts originating from external sources. This opens a path for attackers to steer Gemini into revealing private data tied to the user account.
The third weakness, an indirect prompt injection in the Gemini Browsing Tool, exploited the tool’s internal step that summarizes web page content. By delivering pages that embedded concealed instructions, attackers could cause Gemini to summarize and then exfiltrate sensitive information to an external server. Tenable warned that these chained attacks could embed private data inside otherwise normal requests to a malicious endpoint, all without relying on visible links or images.
Tenable’s report outlined an impactful scenario, where an attacker could prompt Gemini to enumerate cloud assets or identify IAM misconfigurations, then insert those findings into a generated hyperlink. Because Gemini may have permissions to query resources like the Cloud Asset API, a well-crafted prompt could turn a benign summary into a data-leaking payload. After responsible disclosure, Google stopped rendering hyperlinks in log summarization outputs, and implemented additional hardening to reduce prompt injection risk.
The Gemini Trifecta illustrates a broader problem, namely that AI systems with broad access and automated summarization can become attack conduits. As organizations deploy agentic features and AI assistants across cloud and productivity stacks, the attack surface expands. CodeIntegrity recently described a related technique, where an attacker hides prompt instructions in a PDF using white text on white background to coerce Notion’s AI agent into harvesting confidential data. The Notion example highlights how agents, when granted wide workspace access, can chain actions across documents, databases, and connectors in ways that conventional role based access control may not anticipate.
Practical implications for defenders include, but are not limited to, the following,
- Inventory AI integrations, including where assistants and agents have permissions to query cloud assets, read logs, or summarize documents,
- Apply least privilege to AI services, ensure AI agents use dedicated, constrained service accounts, and avoid granting broad cloud permissions by default,
- Harden logging and log summarization workflows, sanitize user agent strings and other metadata before summarization, and avoid rendering hyperlinks for auto-generated summaries,
- Monitor for unusual personalization triggers, review client-side scripts that alter history or inject search entries, and alert on suspicious patterns in browser telemetry,
- Treat AI summarization outputs as potentially sensitive, and add filtering or redaction layers before displaying or exporting them externally,
- Train developers and security teams to recognize prompt injection techniques, and incorporate prompt safety tests into CI/CD and security review pipelines.
The Gemini Trifecta, together with other agent-targeted attacks, shows how malicious actors can weaponize modern AI features. Protecting AI requires visibility into where models and agents run, strict enforcement of access controls, and architectural changes that limit the ability of models to act on or leak sensitive assets. As AI becomes more integrated into cloud infrastructure and productivity tools, defenders must assume attackers will try to use these assistants as stealthy exfiltration channels, and adapt controls accordingly.
Suggested SEO keywords, for discoverability, include, Gemini Trifecta, prompt injection, Gemini Cloud Assist, search-injection, AI security, prompt safety, data exfiltration, Notion AI exploit, agentic attacks, least privilege for AI.
