Even after prompt injection, the attacker needs a way to pull data out, and that’s what the third flaw affecting the Gemini Browsing Tool allowed. Tenable researchers crafted prompts to trick Gemini to fetch external web content using the Browser Tool, embedding user data into the query string of that request. The outbound HTTP call thereby carried the user’s sensitive data to an attacker-controlled server, without relying on visibly rendered links or markdown tricks.
This finding is notable as Google already has mitigations like suppressing hyperlink rendering or filtering image markdowns. The attack bypassed those UI-level defenses by using Google Browsing Tool invocation as the exfiltration channel.
While Google did not immediately respond to CSO’s request for comment, Tenable said the cloud giant has fixed all of these issues by sanitizing link outputs in Browser Tool and bringing in more structural protections in Gemini Cloud Assist and Search.
Prompt injection attacks have been around since AI first came into play, alongside some other sophisticated ways to subvert these intelligent models, including EchoChamber, EchoLeak, and Crescendo. “These are intrinsic weaknesses in the way today’s agents are built, and we will continue to see them resurface across different platforms until runtime protections are widely deployed,” Ravia noted.
