AI security researcher Johann Rehberger revealed a prompt injection attack against Google Gemini that exploits a vulnerability in its long-term memory storage. By using a technique called delayed tool invocation, attackers can cause Gemini to execute malicious commands based on user interaction with specially crafted documents. This allows an adversary to manipulate the model's responses over time, affecting how it remembers information. The attack circumvents built-in protections, enabling the adversary to inject false information into Gemini's memory during a chat session.
This 'asynchronous triggering' of the tool accounts for the name Rehberger gave to this technique, delayed tool invocation.
The technique consists of polluting the chat context so that an action is triggered later, when the model is interacting with the user.
Rehberger showed a technique you can use to circumvent this protection mechanism when using Google Gemini.
An adversary crafts a document with embedded prompt injection, which tricks Gemini into storing false information.
Collection
[
|
...
]