Google recently fixed a vulnerability in Gemini Enterprise that could have allowed attackers to steal sensitive corporate data.
The attack method, dubbed GeminiJack by AI security firm Noma Security, required no user interaction. It was enough for a threat actor to send a specially crafted document, calendar
invite, or email to exploit the flaw. Noma described this as an architectural weakness in how enterprise AI systems interpret information.
Gemini Enterprise is an agentic platform designed to help large organizations automate complex business workflows across their entire technology stack. GeminiJack exploited the fact that Gemini Enterprise has access to various Google services used by an organization, including Gmail, Docs, Calendar, and other Workspace components.
An attacker could embed hidden prompt injection instructions into a specially crafted email, document, or calendar invitation. The victim did not need to view the malicious asset. Instead, Gemini Enterprise would execute the attacker’s commands when an employee asked the AI for information on a related topic.
Noma explained the process: An attacker could share a Google Doc including indirect prompt injection about budgets without any notification. Later, when any employee performed a standard search in Gemini Enterprise like "show me our budgets," the AI automatically retrieved the poisoned document and executed the hidden instructions. While the employee received the requested information, the AI was silently instructed to exfiltrate emails, calendar entries, or corporate documents. For example, the attacker could have commanded Gemini to collect all documents containing words like "confidential," "legal," "salary," or "API key."
Noma reported the issue to Google in May, and comprehensive mitigations were rolled out in recent weeks. Google has confirmed Noma’s findings are accurate and that the vulnerability has been mitigated. Cybersecurity companies routinely discover and demonstrate such indirect prompt injection attacks against generative AI products such as Claude, Gemini, and ChatGPT.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
