Prompt Injection and Data Exfiltration Risks in Google Drive via Gemini AI Integrations

WithSecure researchers showed how prompt injection attacks against Gemini-based Google Drive features could be used to trick AI-powered agents into leaking sensitive documents and metadata from users’ cloud storage.[rich_content:1] The attack chains abused the model’s tool usage and instructions embedded in documents to bypass user intent and exfiltrate data without traditional malware.[rich_content:1] Google acknowledged the findings and implemented mitigations while emphasizing the importance of defense-in-depth and user controls around AI-powered workspace tools.[rich_content:1]

According to WithSecure’s report, attackers can embed malicious natural-language instructions inside Google Drive documents and metadata that are later processed by Gemini-powered features, causing indirect prompt injection that drives the AI agent to exfiltrate sensitive files and document details without traditional malware or explicit user intent.[1][2][3][7] Google acknowledged the issue and deployed mitigations such as classifiers, layered defenses, and content filtering to reduce data exfiltration risk from Gemini integrations.[3][7][8] From a CyberSE.AI perspective, this demonstrates that any AI agent with tool access to SaaS data (e.g., Drive, email, calendars) must be treated as operating over untrusted content, with strict least-privilege scopes, explicit business-logic guardrails on tool calls, and continuous red-teaming for cross-document and URL-based exfiltration paths. Organizations should include these Gemini-style integrations in AI security readiness assessments and agent build reviews, ensuring defenses against indirect prompt injection are designed, tested, and monitored over time.