Tenable, the exposure management company, has identified three vulnerabilities in Google’s Gemini suite, collectively dubbed the Gemini Trifecta. These flaws, now remediated, exposed users to significant privacy risks that could have enabled attackers to manipulate Gemini’s behaviour and silently steal sensitive data such as location information and saved user memories.
The Gemini Trifecta worked across three core parts of the Gemini suite, each exposing users in different but equally dangerous ways. In Gemini Cloud Assist, poisoned log entries could be planted so that when users later interacted with Gemini, the system would unknowingly follow malicious instructions. In the Gemini Search Personalisation Model, attackers could silently inject queries into a victim’s browser history, which Gemini then treated as trusted context, allowing sensitive data like saved information and location to be siphoned off. And in the Gemini Browsing Tool, attackers could trick Gemini into making hidden outbound requests that embedded private user data, effectively delivering it straight to an attacker-controlled server.
Together, these three flaws created invisible doors into Gemini, allowing attackers to hijack its behaviour and steal valuable data without a user ever realising it. Put simply, the Gemini Trifecta showed that attackers didn’t need direct access, malware, or even phishing emails to succeed, as Gemini itself became the attack vehicle, raising the stakes for every user and organisation depending on AI-driven tools.
According to Tenable Research, the main problem was that Gemini’s integrations didn’t properly distinguish between safe user input and attacker-supplied content. This meant poisoned logs, injected search history entries, or hidden web content could all be treated as trusted context by Gemini, effectively turning routine features into hidden attack channels.
“Gemini draws its strength from pulling context across logs, searches, and browsing. That same capability can become a liability if attackers poison those inputs,” said Liv Matan, Senior Security Researcher at Tenable.
“The Gemini Trifecta shows how AI platforms can be manipulated in ways users never see, making data theft invisible and redefining the security challenges enterprises must prepare for. Like any powerful technology, large language models (LLMs) such as Gemini bring enormous value, but they remain susceptible to vulnerabilities. Security professionals must move decisively, locking down weaknesses before attackers can exploit them and building AI environments that are resilient by design, not by reaction. This isn’t just about patching flaws; it’s about redefining security for an AI-driven era where the platform itself can become the attack vehicle.”
Potential Impact of Exploiting the Gemini Trifecta
If exploited before remediation, the Gemini Trifecta could have allowed attackers to:
- Silently insert malicious instructions into logs or search history.
- Exfiltrate sensitive user information such as saved data and location history.
- Abuse cloud integrations to pivot into wider cloud resources.
- Trick Gemini into sending users data to attacker-controlled servers through its browsing tool.
Google has remediated all three vulnerabilities, and no additional action is required from users.
Recommendations for Security Teams
While no user action is required, Tenable advises security professionals to:
- Treat AI-driven features as active attack surfaces, not passive tools.
- Audit logs, search histories, and integrations regularly to detect poisoning or manipulation attempts.
- Monitor for unusual tool executions or outbound requests that could indicate exfiltration.
- Test AI-enabled services for resilience against prompt injection and strengthen defences proactively.
“This vulnerability disclosure underscores that securing AI isn’t just about fixing individual flaws,” Matan emphasised. “It’s about anticipating how attackers could exploit the unique mechanics of AI systems and building layered defences that prevent small cracks from becoming systemic exposures.”
Read the full research findings here.
