Image: appshunter.io/Unsplash
Noma Labs uncovers GeminiJack, a zero-click flaw where hidden instructions in shared Workspace files could steer Gemini Enterprise and leak corporate data.
Google is scrambling to contain “GeminiJack,” a zero-click flaw that lets hidden instructions inside shared Workspace files tamper with its Gemini Enterprise AI.
A single poisoned Doc, email, or calendar invite was enough to set the trap, and millions of users were affected.
A new Noma Labs report says the vulnerability stemmed from how Gemini handled the content it absorbed during searches, exposing a fresh class of AI-driven weaknesses.
Noma Labs found that Gemini Enterprise was tripped up by how it trusted whatever Workspace content it pulled into its own context. Whenever an employee ran a search, Gemini automatically gathered relevant items and treated everything inside them as safe material to interpret.
User-generated text and system-level instructions flowed into the same processing stream, giving attackers room to hide prompt-style commands inside ordinary-looking files.
Because retrieval happened in the background, a malicious Google Doc or invite didn’t need macros or scripts. It only needed phrasing that Gemini would parse as an instruction once the file was ingested.
GeminiJack didn’t wait for a careless click or a convincing phish. It is activated during routine Gemini Enterprise queries, the kind employees run dozens of times a day. No prompts, no warnings, no visible interaction.
To monitoring systems, everything still looked routine. Data loss prevention (DLP) tools saw a standard AI query. Email scanners saw clean content. Endpoint defenses spotted no malware or credential theft. Even the exfiltration hid inside what looked like a harmless image request, indistinguishable from normal browser traffic.
With nothing suspicious to flag, the attack moved straight past traditional controls. The AI itself executed the steps, turning everyday activity into an invisible handoff of sensitive Workspace data.
Once a poisoned file was in play, a single run of Gemini could assemble far more information than the person searching ever had in mind. The model followed the attacker’s buried cues alongside the user’s request, broadening what it pulled together.
That sweep could touch long-running correspondence, project and deal timelines, contract language, financial notes, technical documentation, HR material, and other records that normally sit deep in a company’s systems. The attacker didn’t need insider knowledge to reach any of it; general terms like “confidential,” “acquisition,” or “salary” were enough to steer Gemini toward the most sensitive corners.
In one go, the response could double as a rough map of how the organization operates
After reviewing Noma Labs’ findings, Google reworked how Gemini Enterprise handles retrieved content, tightening the pipeline to block hidden instructions. It also separated Vertex AI Search from Gemini’s instruction-driven processes to avoid future crossover issues.
Noma Labs says the fix is only part of the story. As AI gains more autonomy inside corporate systems, new kinds of weaknesses emerge that fall outside traditional detection models. The case shows how routine access can veer into unintended territory, prompting fresh questions about how organizations set boundaries for the AI tools embedded in their workflows.
Google Chrome’s new AI security update includes a $20,000 bounty for anyone who can break its safeguards.
Liz Ticong is a staff writer for eWeek and TechRepublic focused on AI, cybersecurity, enterprise software, and data. She has more than 10 years of editorial experience as a technology industry writer, combining reporting, product research, and hands-on software testing in her coverage. Her work has been published on Datamation, Enterprise Networking Planet, and TechnologyAdvice.com. She writes technology news, software reviews, product comparisons, and buyer’s guides for business and IT readers.
