A new report out today from network security company Tenable Holdings Inc. details three significant flaws that were found in Google LLC’s Gemini artificial intelligence suite that highlight the risks of prompt injection and the growing need for dedicated AI security practices.

The vulnerabilities, dubbed the “Gemini Trifecta,” were discovered in Gemini Cloud Assist, Gemini Search Personalization Model and the Gemini Browsing Tool.

The vulnerabilities have since been addressed by Google. But with AI popping up seemingly everywhere in 2025, Tenable’s researchers argue that understanding them is critical to recognizing how even trusted tools can be weaponized and why securing AI-driven systems requires the same rigor as traditional enterprise infrastructure.

The first vulnerability, found in Gemini Cloud Assist, Google’s tool for summarizing raw cloud logs, allowed attackers to poison log data and insert malicious payloads into log data, such as a manipulated User-Agent header, which was then stored in Cloud Logging. The hidden instructions would execute when Gemini was later asked to explain or summarize the log, effectively turning a routine debugging task into an attack vector.

The payload could trigger unauthorized actions, like generating phishing links within summaries or querying sensitive cloud assets. What made the issue particularly dangerous was how inconspicuous it was, as the injection often hid in areas such as “additional prompt details,” meaning even experienced administrators could miss it.

The second vulnerability targeted the Gemini Search Personalization Model, which tailors responses based on a user’s search history.

Exploiting the vulnerability, attackers could use malicious websites with JavaScript to silently inject crafted queries into a victim’s Chrome search history. Later, when Gemini processed that history, it treated the injected queries as legitimate and could direct Gemini to output links containing private information such as saved personal data or location details.

The third and perhaps most concerning vulnerability was found in the Gemini Browsing Tool.

Tenable researchers found a way to bypass Google’s safeguards that normally prevent direct data leakage. Attackers could trick the system into making outbound requests to attacker-controlled URLs by crafting prompts that mimicked Gemini’s internal browsing language.

The requests could carry embedded sensitive data, which the attacker’s server then silently captured. Because the data left via a background tool execution rather than through visible outputs, the user would not notice anything unusual.

What makes the Gemini Trifecta particularly interesting is the reliance on indirect prompt injection. Unlike obvious malicious inputs, the attacks exploit trusted data streams — logs, search histories and browsing contexts — that most users and defenders would not suspect.

The report makes several recommendations that security professionals should take away from the disclosure.

The researchers advise that security teams should treat AI integrations as active threat surfaces, not passive conveniences and they must assume that attacker-controlled content can and will reach AI systems indirectly.

Security professionals should also implement layered defenses, including input sanitization, context validation and strict monitoring of tool executions. Additionally, regularly testing AI-enabled platforms for prompt injection resilience is advised, in the same way security teams undertake penetration testing for traditional apps.

Image: SiliconANGLE/Ideogram