Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Google Cloud Platform (GCP) Gemini Cloud Assist Prompt Injection Vulnerability

Medium

Synopsis

Tenable Research discovered that Gemini Cloud Assist was susceptible to prompt injection via log content. When the user analyzed these logs with Gemini Cloud Assist, the attacker could potentially exploit Gemini integrations or trick the user into visiting a legitimate-looking phishing link.

 

This prompt injection finding enabled attackers to embed malicious prompts within a victim’s logs. When a user analyzed these logs using the Gemini Cloud Assist feature, the malicious prompt was processed, leading to one or more potential outcomes:

 

  • Exploit of Gemini Integrations: Attackers may execute unauthorized actions or gain elevated access by leveraging integrations tied to the Gemini system.
  • Phishing Risks: The malicious prompt could trick users into visiting legitimate-looking but fraudulent phishing links, thereby compromising sensitive information.

 

The attack remained covert because the injected payload was hidden in the log details. The victim must click “Additional prompt details” to view the full log entry, including the malicious content.

 

The finding could be abused by a victim that sends a prompt that triggers Gemini to look for logs in any way. An example of such a prompt would be: "What was the latest cloud function execution in my environment?"

 

Steps to Reproduce:

  1. An attacker injects a crafted log entry containing a malicious prompt through user input control such as a User-Agent HTTP header.

HTTP request containing prompt injection, to be logged

 

  1. The victim reviews logs via the GCP Log Explorer using Gemini Cloud Assist.

  2. The summarization feature processes the injected prompt, executing and rendering the attacker’s payload.

  3. The user is inadvertently misled into performing actions beneficial to the attacker (e.g., clicking phishing links or enabling unauthorized access).

Log Explorer showing Cloud Assist reading a prompt injection from the log

Solution

The GCP product team made a change to stop rendering hyperlinks in the responses for all log summarization responses. For example, `"see this link"` is rendered as `see this [link](http://google.com)`

Disclosure Timeline

December 19, 2024 - Tenable reports the finding to Google
December 19, 2024 - Google acknowledges
December 20, 2024 - Tenable shares additional research details
January 2, 2025 - Google confirms the finding
January 26, 2025 - Tenable asks for updates on the fix
January 29, 2025 - Google works on the fix with the product team
February 6, 2025 - Google awards a bounty for the finding
February 9, 2025 - Tenable thanks Google for the bounty and asks for updates on the fix
February 25, 2025 - Google updates that the product team is rolling out a fix into production and asks for a draft
February 26, 2025 - Tenable acknowledges and updates that they will share the draft when it's ready
March 5, 2025 - Google says the issue is fixed
March 9, 2025 - Tenable asks for details on the fix
March 13, 2025 - Google responds with the fix details

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2025-10
Credit:
Liv Matan
Affected Products:
GCP Gemini Cloud Assist
Risk Factor:
Medium

Advisory Timeline

March 19, 2025 - Initial release