Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

AI tools are being integrated deeper and deeper into our workflow. As this happens, this opens up the attack surface to trick the bot into doing malicious things with attacker controlled input. Google docs, Google Calendars, Mail and many other things are now sources of potentially malicious input. Google Gemini Enterprise integrates all of the Google products into Gemini for usage. This is the beginning of the bug.

Google Gemini Enterprise AI contains a Retrieval-Augmented Generation (RAG) architecture that allows organizations to query for mail, calendar, docs and other Google Workspace components. When a user makes a query, Gemini will search the configured data sources for relevant content, match the content, load the content into the agent's context and generate contextual responses from this content. The data sources for the RAG system must be preconfigured by the enterprise admin.

There is a lot of trust within this content. By using a prompt injection within one of the returned data sources, an attacker can add malicious instructions within the content. This can be a meeting link, shared google doc and many other things. What can this do? By including a adding a image to a remote server and asking the AI to put this as part of the URL, RAG-based information can be stolen. This leads to data exfiltration.

I find that "zero-click" is the wrong word. It still requires user interaction to exploit but they don't need to click on a specific attack controlled link. To me, zero click means that a user has to do nothing. Maybe 0.5 clicks is better. Still, this is really impactful and interesting! There's an assumption that prompt injection is always possible. So, content isolation and more permissions seems like the future of security here.