Many of the recently patching by Google by Google by Google may have allowed the attackers to cheat the AI assistant to help the AI assistant to achieve data theft and other malicious goals.
Issues were discovered by researchers in cyber security firm Tenble, who named the project Gemini TrfectaResearch includes three separate Gemini hacking methods that misuse different characteristics and equipment, and which do not require any social engineering.
The first attack included indirect early injections and targeted Mithun Cloud Assist, which enables users to interact with Google Cloud for management and adaptation of cloud operations.
The attack misused Gemini Cloud’s ability to analyze the log. Researchers found that an attacker could send a specially designed request to the targeted organization, resulting in a malicious signal in log files.
Mithun would process the message of the attacker when a user asked the cloud to explain the log entry or analyze the logs for various purposes, the Mithun would process the attacker’s message. In the performance of the tenable, the attacker persuaded Gemini to display a Google Fishing page link.
Researchers discovered several Google Cloud Services, which could be targeted by an informal attacker with specially designed requests, resulting in log entry, which included cloud function, cloud run, app engine, compute engine, compute engine, cloud and polling, API gateway and load balancers.
“An impressive attack scenario will be an attacker that injects an indication that instructs Gemini to query all public assets, or to query for iam misconsiations, and then creates a hyperlink that includes this sensitive data. It should be possible because Mumeini should be possible because Mumeini allows the asset to Quarteri API, Tenth researchers explained.
He said, “Since the attack can be informal, all the attackers can ‘spray’ attacks on public-support services, so that instead of a target attack, to achieve as much effect as possible,” he said.
The second attack method, including indirect early injections, used the search history as a quick injection vector. In particular, he misused Gemini’s discovery personalization, a feature that allows AI to provide more relevant and sewn reactions based on the user’s personal reference and previous activity.
In this case, an attacker would need to persuade a user to visit a website that he established to inject the early injected malicious search query in the victim’s browsing history. When the victim later interacted with Gemini’s search privatization model, it would process the attacker’s instructions, which may include orders to collect sensitive user data and exfiltrate it when the victims click on a link.
The third attack in Trfecta targeted the Gemini browsing tool, which enables AI to understand the content on the web and perform tasks using open tabs and references to browsing history.
Researchers succeeded in abusing the capacity of this tool to summarize a web page to create a side channel for data exfoliation. He assured AI to take the victim’s information and added it to a remote server controlled by the attacker.
Tenable said that Google patches all three weaknesses after being notified.
In recent weeks, researchers demonstrated many similar attacks, which target their integration with widely used AI assistants and enterprise products.
Connected: Chatgpt tricked to solve the captures
Connected: California village
Connected: Salesforce AI Hack enabled CRM data theft
