Even after early injections, the attacker needs a way to pull out the data, and that is the third defect that affects the Gemini browsing tool. Tenable researchers inspired to trick Gemini to bring the outer web content using a browser tool, embedding user data in the query string of that request. The outbound HTTP call took the user’s sensitive data to an attacker-controlled server, without relying on the link or markdown tricks without visually.
This discovery is already notable as Google Metagation is Like pressing hyperlink rendering or filtering image markdown. The attack converted those UI-level defense into exfiltration channel using the Google browsing tool call.
While Google did not immediately respond to the CSO’s request for comments, Tenable said that Cloud veteran has decided all these issues by cleaning the link output in the browser tool and bringing them into more structural safety in Gemini cloud and search.
There have been early injection attacks since AI first came to play, with some other sophisticated methods to immerse these intelligent models, including Ecochamber, Ecolak and Crastendo. “These are internal weaknesses in the way the manufacture of today’s agents, and we will continue to see them revival on different platforms, until the runtime security is widely deployed,” Ravia said.
