BreachWatch™: Hacking Gemini ‐ a multi-layered attack on trust boundaries

BreachWatch™: Hacking Gemini ‐ a multi-layered attack on trust boundaries

In early 2025, security researcher Valentino Massaro participated in Google’s bugSWAT Tokyo live-hacking event focused on Gemini and other AI products. During the event, he uncovered a multi-layered vulnerability chain in Gemini’s Markdown and link-handling pipeline and reported it through Google’s AI VRP.

At a high level, Gemini treated Markdown images and links in several stages:

1. A “Layer 1” user prompt.
2. An internal “Layer 2” representation where trusted Markdown could be added.
3. A “Layer 3” HTML output rendered back to the user.

Images supplied directly by the user were supposed to be sanitized before rendering, but researcher experimentation showed that the combination of Markdown linkification and this multi-layer design introduced a subtle gap. By abusing how URLs were turned into Markdown and then toggling a link into an image (by introducing a ! prefix in the internal representation), the researcher could bypass the sanitizer and get externally hosted images to render.

From there, the chain got more interesting:

• Open redirects on *.google.com could be used to route those image requests off to attacker-controlled endpoints, sidestepping CSP protections.
• The same pattern also applied when Gemini exported content to Google Colab, adding yet another “layer” and another context with its own parsing quirks. The researcher used small discrepancies between Gemini and Colab to regain a working exploit after initial fixes.
• Once the exploit was stable again, it enabled indirect prompt injection that caused Gemini (and Colab) to pull sensitive Workspace data and exfiltrate it via those image loads.

In proof-of-concept demonstrations, the researcher showed that—if a user let Gemini interact with untrusted content—this chain could leak Gmail messages, Calendar events, Drive files and other Workspace data available through Gemini extensions.

Crucially, this was not a public mass exploitation campaign. It was a responsibly disclosed research finding that Google acknowledged and rewarded through its VRP, and the exfiltration path was hardened as part of ongoing work to improve Gemini’s Markdown sanitization and layered defenses against prompt injection.

The researcher’s conclusion is the part every VRM leader should remember: indirect prompt injection itself is an unsolved, non-deterministic problem. You can fix this exfil vector, but any complex AI system that reads untrusted content and has powerful tools will continually expose new attack paths.

What actually happened (and why it matters)

• Entry & method.
  The attack doesn’t start with a classic exploit payload; it starts with content – Markdown in files, emails, or other inputs Gemini is allowed to process. By abusing Gemini’s three-layer Markdown→HTML pipeline and linkification rules, the researcher was able to flip a sanitized hyperlink back into an image, bypass the sanitizer, and use open redirects to exfiltrate data. In the Colab export path, discrepancies in escaping and URI parsing provided another route around mitigations.
• Scope.
  The proof-of-concept showed that any user who allows Gemini to read untrusted or “poisoned” content—then grants it access to Gmail, Drive, Calendar, etc.—could in principle have that data streamed out through the exfil channel. This is exactly the sort of implicit trust bridge that appears when AI agents sit in front of rich SaaS platforms.
• Ecosystem pattern, not a one-off bug.
  Separate research has shown Gemini for Workspace can also be tricked into showing phishing messages hidden in email CSS/HTML, and that Google has had to roll out additional defenses like prompt-injection classifiers, security “thought reinforcement,” and stricter Markdown/URL controls.
  When you zoom out, Hacking Gemini is one of several prompt-injection and data-exfiltration vulnerabilities disclosed for Gemini agents over the last 18 months, all exploiting the same basic design reality: LLMs don’t strongly separate instructions from data.
• This is an ecosystem failure mode, not “Gemini is uniquely unsafe.”
  Google’s own AI security blog and VRP program are unusually transparent about these issues and the mitigations they’re rolling out.
  For VRM teams, that’s the real takeaway: any AI-enabled vendor that reads untrusted content and can touch sensitive systems will periodically reveal new, highimpact paths. Your job is not to predict each bug, but to govern the vendor relationship and your own blast radius when those bugs appear.

What Perimeter customers saw – inside the platform

Perimeter is designed for exactly these “invisible bridge” problems—especially when small VRM teams are supporting regulated businesses that can’t afford to get this wrong.

When research like Hacking Gemini: A Multi-Layered Approach and Google’s own prompt-injection advisories started to circulate, Perimeter customers didn’t fan out across spreadsheets and inboxes. They worked the incident inside Perimeter:

• One-click triage.
  Vendors that rely on Gemini for Workspace, or that build on top of it, were quickly surfaced through Perimeter’s vendor inventory and tagging—so customers could see “where Gemini might be in play” across their supply chain.
• Ready-to-send AI impact check.
  A short questionnaire captured the essentials fast:
  • Is the vendor using Gemini or similar agentic models in production?
  • Which data sources (Gmail, Drive, Calendar, CRM, ticketing) does the AI have access to?
  • What defenses (sanitization, allowlists, confirmation prompts) are in place against prompt/Markdown injection and indirect prompt injection?
• Action to closure.
  Perimeter orchestrated remediation tasks—tightening scopes, adding guardrails to AI features, disabling risky connectors, updating DPAs—and tracked each one to closure in the same workspace.
• Verified, not just attested.
  Customers didn’t just read “we take security seriously” in vendor responses; they correlated those claims with signals like public VRP writeups, product release notes, and changes to the vendor’s external attack surface via Perimeter’s Verify module.

Result: a real-time view across AI-enabled vendors, with validated signals flowing straight into decisions and remediation—painless VRM in practice, even when the incident involves complex AI chains instead of a classic breach.

Why this fits Perimeter’s design: Verify continuously measures vendors’ external posture and correlates it with what vendors say in questionnaires, surfacing drift and contradictions over time. That “zero-trust for vendor claims” is core to Perimeter’s end-to-end lifecycle approach for regulated industries and lean security teams.

Where each Perimeter module fits in this incident

• Monitor – surfaces news, research writeups, and security advisories about Gemini and other AI agents, and flags vendors that depend on those ecosystems so you know who to work first.
• Verify – continuously checks vendors’ external footprint (domains, exposed services, attack-surface indicators) and correlates that with their claimed AI architecture and controls, catching drift or omissions.
• Extract – ingests vendor security notices, VRP writeups, and contractual updates, and highlights the exact passages that mention Gemini, prompt injection, or tool integrations—accelerating review without sacrificing accuracy.
• Assess – centralizes due diligence and risk scoring so “AI-enabled vendor with Gemini access to regulated data” becomes an explicit risk dimension across your program, not a buried edge case.
• Share – standardizes outbound impact checks and document exchange so every “Tell us how you use Gemini and what you’ve changed” request is consistent, trackable, and auditable.
• Respond – orchestrates remediation and RFP workflows: from tightening scopes and updating contracts to documenting evidence for auditors and regulators—endtoend, in one place.

Perimeter’s promise here is simple: an end-to-end, loweffort, realtime VRM system that validates vendor claims instead of trusting them by default.

Immediate response checklist (Gemini + Google Workspace)

Use this as a practical playbook to move from “another scary AI headline” to a controlled, auditable process.

These steps are oriented toward Google as your vendor (or subvendor), but they generalize to any AI-enabled provider with deep SaaS integrations.

Investigate

1. Inventory where Gemini is in use.

• Confirm which of your vendors (and internal teams) use Gemini for Workspace or Gemini agents in production.
• Pay special attention to workflows where Gemini can read external documents, emails, or calendar invites and also access sensitive systems (Gmail, Drive, HRIS, CRM, ticketing).

2. Ask vendors for a clear description of their AI architecture.
For each AI-enabled vendor, request:

• Which LLMs/agents they use (Gemini versions, custom agents, or mixtures).
• What tools or connectors the AI can invoke (email, storage, ticketing, smart-home, etc.).

• Which LLMs/agents they use (Gemini versions, custom agents, or mixtures).
• What tools or connectors the AI can invoke (email, storage, ticketing, smart-home, etc.).
• How they sanitize Markdown/HTML and URLs, and how they guard against indirect prompt injection specifically (not just generic “we use filters”).

3. Review vendor incident and VRP history around Gemini.For each AI-enabled vendor, request:

• Look for references to VRP writeups like Hacking Gemini, email-summary prompt injection, and calendar-based “promptware” attacks, and confirm whether these issues are now mitigated in your vendor’s environment.

Contain & remediate

4. Tighten data scopes and tool permissions.

• Ensure Gemini (and vendor-built agents on top of it) have least-privilege access to your data—only the folders, mailboxes, and systems they truly need.
• Where possible, separate production data from “AI experimentation” environments to limit impact when prompt injection succeeds.

5. Add human-in-the-loop for destructive or sensitive actions.

• Require explicit human confirmation for operations like deleting calendar events, changing access controls, or sending outbound emails—mirroring Google’s own “user confirmation” framework for risky Gemini actions.

6. Update contracts and controls for AI-enabled vendors.

• Make sure your security addenda and DPAs explicitly cover:
  • Use of generative AI and agents.
  • Handling of prompt injection and data exfiltration vectors.
  • Logging, incident notification, and customer control over enabling/disabling AI features.

Harden for next time

7. Treat AI agents as “confusable deputies.”
Both NCSC and independent researchers stress that prompt injection may never be fully eliminated; instead, systems must be designed to limit the blast radius when AI is tricked. That means:

• Segmentation of what AI can see and do.
• Strong guardrails on tool use.
• Assuming hostile content is everywhere.

8. Build continuous validation into VRM—not one-off AI questionnaires.

• Don’t just ask whether a vendor “uses AI.” Track how their Gemini usage, prompt defenses, and data scopes evolve over time, and correlate that with external research and disclosures. This is where Perimeter’s Monitor and Verify modules keep AI risk from becoming a black box.

How Perimeter operationalizes this playbook

Inside Perimeter, the same Gemini story becomes a repeatable workflow rather than a one-off scramble:

• Start with a clean list.
  Filter your vendor inventory to vendors that:
  • Use Google Workspace, Gemini for Workspace, or Google-based AI agents; or
  • Ship AI-enabled features that integrate with Gmail/Drive/Calendar or similar.
• Dispatch the impact check.
  Send a prebuilt AI/Gemini questionnaire that covers:
  • Where Gemini is embedded.
  • What data it can access.
  • How prompt injection, Markdown, and URL handling are mitigated.
• Drive remediation to “done.”
  Apply a recommended-actions template: tighten scopes, enable human-in-the-loop for sensitive actions, verify logging and notification commitments, and require confirmation of patched exfil vectors where relevant.
• Answer, with evidence.
  When executives or regulators ask, “Which vendors are exposed to Gemini prompt-injection risk, what did they change, and how do we know?” you can show a real-time status view plus supporting evidence—rather than a folder of emails and spreadsheets.

A note on the broader Gemini “noise”

If you skim headlines, Gemini can look like an endless stream of scary bugs: calendar invites hijacking smart homes, hidden email text turning summaries into phishing lures, enterprise prompt-injection flaws exposing corporate data.

The nuance:

• Many of these findings come from coordinated research programs—Google’s own VRP, industry bug bounties, and academic collaborations—rather than widespread criminal exploitation.
• Google is actively publishing its defenses (Gemini 2.5 hardening, security-focused models, Markdown sanitizers, suspicious URL redaction, user confirmation) and claims to have seen no evidence of certain prompt-injection variants being abused at scale.

From a VRM perspective, that’s encouraging—but it doesn’t reduce your accountability. The right posture is: assume AI-enabled vendors will continue to have novel bugs, and build a system that lets you respond calmly when they surface.

If you’re leading VRM in a regulated industry

Perimeter’s brand promise is Painless VRM for teams that need real-time visibility without adding headcount: end-to-end lifecycle coverage, from onboarding and assessments to continuous monitoring and verified remediation.

That demand constellation—regulated industries, small security and risk teams, speed with accuracy—is exactly where Gemini-like incidents hurt the most:

• You’re already accountable to regulators and boards.
• Your vendors are rapidly embedding AI into critical workflows.
• Your team doesn’t have spare capacity to chase every new AI bug by hand.

Bottom line: AI-enabled assistants and SaaS-to-SaaS connections are your modern perimeter. With Perimeter, you can turn a sprawling AI supply-chain scare into a controlled, auditable process: Monitor the blast radius, Verify reality against vendor claims, Extract the facts quickly, Assess risk in context, Share impact checks, and Respond to closure—without drowning your team.