Google Patches Gemini Enterprise Vulnerability Exposing Corporate Data

GeminiJack is a zero-click Gemini attack that could have been exploited using specially crafted emails, calendar invites, or documents.

Google recently addressed a Gemini Enterprise vulnerability that could have been exploited by threat actors to obtain potentially sensitive corporate data, according to AI security firm Noma Security.

Dubbed GeminiJack, the attack method did not require any user interaction. Sending a specially crafted document, calendar invite, or email was enough to exploit the flaw, which Noma described as “an architectural weakness in the way enterprise AI systems interpret information”.

Gemini Enterprise is an agentic platform designed to enable large organizations to automate complex, multi-step business workflows across their entire technology stack.

GeminiJack leveraged the fact that Gemini Enterprise has access to various Google services used by an organization, including Gmail, Docs, Calendar, and other Workspace components.

An attacker could have incorporated hidden prompt injection instructions into a specially crafted email, document ...