A flaw in Google’s new Gemini CLI tool could’ve allowed hackers to exfiltrate data
The company has moved to fix a vulnerability that allowed the execution of malicious code
Security researchers have discovered a vulnerability in Google's Gemini CLI tool that enables malicious command execution and silent data infiltration.
Released in June, Gemini CLI is a command line interface (CLI) tool designed to streamline coding workflows by allowing users to interact with code using Google’s Gemini large language model (LLM) directly from their command line.
Just two days after launch, Tracebit discovered and reported a vulnerability that meant that, in its default configuration, Gemini CLI could silently execute arbitrary malicious code on a user's machine when run in the context of untrusted code.
Sam Cox, TraceBit’s co-founder and chief technology officer (CTO), said this can be done in such a way as to obscure this from the victim of the attack.
The vulnerability arises from the way Gemini CLI implements whitelists, requesting permission to execute shell commands and allowing users to whitelist certain commands for the rest of a session.
"Gemini’s method of matching commands against the whitelist is inadequate as a security control," Cox explained.
"This means we can orchestrate a two-stage attack: firstly, we get the user to whitelist an innocuous command. Secondly, we attempt a malicious command masquerading as that innocuous command - which, having been whitelisted, will not be subject to user approval before execution."
The team used a simple grep search as the initial command - something that would normally be seen as a very low risk activity for Gemini to perform and that might easily lead to ‘grep’ being added to the whitelist.
They were able to execute a malicious command - which Gemini now considered to be a ‘grep’ command and executed without confirming with the user.
"In reality, this is a grep command followed by a command to silently exfiltrate all the user’s environment variables (possibly containing secrets) to a remote server," said Cox.
"The malicious command could be anything (installing a remote shell, deleting files, etc)."
The team then added several whitespace characters, followed by a semicolon and malicious 'env' and 'curl' commands to silently retrieve and exfiltrate the data.
There’s a fix for the Gemini CLI flaw
Google fixed the issue late last week with the release of Gemini CLI v0.1.14, which now shows any commands it's trying to run and requires explicit user approval for anything suspicious.
“Our security model for the CLI is centered on providing robust, multi-layered sandboxing,” Google’s Vulnerability Disclosure Program team said in a statement.
“We offer integrations with Docker, Podman, and macOS Seatbelt, and even provide pre-built containers that Gemini CLI can use automatically for seamless protection.”
"For any user who chooses not to use sandboxing, we ensure this is highly visible by displaying a persistent warning in red text throughout their session,” the company added.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
IT leaders are being stung by "unexpected" AI costsNews The growing costs associated with AI are hitting organizations large and small
-
'Botsitting' is destroying productivity as workers spend nearly a full day each week making AI 'usable'News While workers are reporting productivity improvements, ‘botsitting’ means these are often negated
-
Google says AI is now being used to build zero-days – and we just narrowly avoided a 'mass exploitation event'News Google cyber researchers think they’ve found the first AI-generated zero-day exploit
-
Google just revised its ‘Q-Day’ timeline: Quantum computers could break existing encryption techniques within three years – and enterprises are nowhere near readyNews Google has warned that “Q-Day”, the point where a quantum computer is powerful enough to crack current encryption techniques, could come as soon as 2029.
-
Google just launched a new Gemini-powered dark web monitoring serviceNews A new AI-powered dark web monitoring service looks to give enterprises more "reasoned answers" and deeper insights
-
Flaw in Chrome’s Gemini Live gave attackers access to user cameras and microphonesNews The in-browser AI assistant loads differently in the side panel, rather than a regular tab, exposing users to risks
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
