The Gemini Trifecta: How Researchers Exposed AI Vulnerabilities in Google’s Gemini

Artificial intelligence (AI) assistants like Google’s Gemini are becoming powerful tools for enterprise operations, but they are not immune to exploitation. Recently, cybersecurity firm Tenable uncovered multiple weaknesses in Gemini that could have enabled attackers to steal data and conduct malicious activity with little effort. Dubbed The Gemini Trifecta, the research highlights three distinct attack methods that were promptly patched by Google after disclosure.

Attack 1: Prompt Injection Through Cloud Assist

The first vulnerability targeted Gemini Cloud Assist, a feature that helps users manage Google Cloud operations.

• Method: Attackers could inject malicious prompts into log files by sending specially crafted requests to an organization.

• Impact: When users later asked Cloud Assist to analyze logs, Gemini would process the hidden malicious instructions.

• Demonstration: Tenable showed Gemini generating phishing links or querying sensitive data like public cloud assets and IAM misconfigurations.

Because the attack required no authentication, it could have been used in widespread “spray” campaigns across Google Cloud services.

Attack 2: Search Personalization Exploited

The second method also used indirect prompt injection, this time abusing Gemini’s Search Personalization feature.

• Setup: An attacker could lure a victim to a malicious website that plants harmful queries into the victim’s browsing history.

• Execution: When Gemini later personalized results, it would unknowingly follow the attacker’s instructions.

• Risk: This could result in sensitive user data being exposed or exfiltrated through malicious links.

This attack demonstrates how even background personalization features can be hijacked for exploitation.

Attack 3: Data Exfiltration via Browsing Tool

The third weakness exploited the Gemini Browsing Tool, designed to summarize web content and analyze open tabs.

• Abuse: Researchers manipulated Gemini’s summarization process to smuggle sensitive data into outbound requests.

• Result: The AI assistant sent victim information to attacker-controlled servers, effectively creating a covert data exfiltration channel.

This showed how easily a benign feature could be weaponized to leak user data.

Broader Implications

These three vulnerabilities underscore the broader challenge of AI security. As AI tools integrate more deeply with enterprise ecosystems, they expand the attack surface for cybercriminals. Indirect prompt injection—where attackers hide instructions in seemingly harmless data—has emerged as a particularly powerful strategy.

Tenable noted that Google quickly patched all three issues, but the findings highlight the urgent need for continuous security testing in AI systems. Similar exploits have recently been demonstrated across other widely used AI assistants, signaling a growing area of concern for organizations that rely on AI in sensitive workflows.

Conclusion

The Gemini Trifecta serves as a reminder that while AI assistants offer convenience and automation, they also introduce novel risks. Organizations adopting these tools must remain vigilant, applying the same rigorous security practices they use for other critical technologies.