Researcher Johann Rechberger revealed a new attack method on the gemini chat. From Google, which allows you to introduce false long -term memories into the neural network. This method is based on the already known techniques of indirect injection of requests and a delayed call of tools that were previously used to bypass the protective mechanisms of the Platforms.
Chatbots, such as Google and Chatgpt from Openai, are developed taking into account protection against malicious command injections. However, hackers constantly find new ways to manipulate them. In particular, the new vulnerability in gemini is associated with the possibility of changing the long-term memory of the chatbot which can lead to the spread of misinformation or even the performance of malicious actions.
Previously, Rechberger “>”> “>”> ” He demonstrated how harmful emails and documents could force Microsoft Copilot to look for confidential data in the victim’s mailbox and send them to the attacker. Then Microsoft eliminated the vulnerability, but the problem of indirect injections of requests remains.
One of the ways to combat such attacks is to limit the commands that can be performed during the processing of unreliable data. In the case of Google, such a measure affects the applications and data available through Google Workspace. However, Rechberger found a way to bypass these restrictions using a delayed call of tools.
The essence of the method is that the malicious document does not contain a clear request for the execution of the command. Instead, it includes a condition under which the team is activated only with a certain user action. For example, if the bot directly give the command to use the Workspace extension to search for a document, the system will block it. But if the team is formulated so as to work after any request from the user, it is possible to get around the protection.
The data obtained in this way can be sent to the attacker using a link to the image built into the text answer. Google tried to eliminate the problem by limiting the rendering of such links in the chatbot, but the vulnerability itself remained.
The new attack method represented by Rechberger uses the same logic to introduce false long -term memories in Gemini. The user uploads the document and asks to summarize it. The malicious document is hiddenly changing the amounting process so that the bot remembers false information. If the user then responds with certain words (“yes”, “of course”, etc.), Gemini retains this in memory as part of long -term data.