A Shared Google Doc Was Enough to Silently Steal All Your Gmail, Calendar, and Drive Files.
Researchers at Noma Security disclosed 'GeminiJack' on December 8, 2025: a zero-click vulnerability in Google Gemini Enterprise that let attackers embed hidden instructions in a shared document, causing Gemini's AI to search and exfiltrate a target's entire Gmail, Docs, and Calendar corpus without any user action.
VaultTools · March 20, 2026
Table of Contents
- What GeminiJack was
- How the attack worked
- Why it went undetected
- The disclosure timeline
- What the vulnerability reveals about AI document tools
- Sources
What GeminiJack Was
On December 8, 2025, security researchers at Noma Security publicly disclosed a zero-click architectural vulnerability in Google Gemini Enterprise, also affecting Vertex AI Search. Internally named GeminiJack, the flaw allowed an attacker to silently search and exfiltrate data from a target’s entire Gmail inbox, Google Docs library, and Google Calendar by placing hidden instructions inside a single shared document.
Google had been notified in June 2025. The company quietly patched the vulnerability by November 2025. Public disclosure followed two weeks later once remediation was confirmed.
How the Attack Worked
The attack exploited a technique known as prompt injection: embedding instructions intended for an AI model inside content that looks like ordinary text or metadata. Gemini Enterprise’s RAG (Retrieval-Augmented Generation) pipeline allowed it to retrieve and process documents that a user shared or received, including emails, calendar invites, and files in Google Drive.
An attacker crafted a document, email, or calendar event containing hidden text that instructed the Gemini assistant to conduct a broad search of the recipient’s workspace data. Gemini, following its standard behavior of retrieving relevant context to answer queries, executed the search across the target’s Gmail, Docs, and Calendar. It then packaged the results and transmitted them to an attacker-controlled server, disguised within a request that appeared to be loading an image.
The victim received the shared document. Nothing else was required.
Why It Went Undetected
The exfiltration mechanism was designed to blend into normal browser behavior. Gemini’s retrieval pipeline routinely fetches external resources when generating responses. The outbound data transfer was formatted as an image load request, a type of network activity that most enterprise security monitoring tools do not flag for content inspection.
No alert was triggered. No anomalous behavior was visible to the user or to enterprise security dashboards. The only way to detect the attack after the fact was to audit network traffic at a level of granularity that most organizations do not maintain.
The Disclosure Timeline
Noma Security reported the vulnerability to Google’s security team in June 2025. Google acknowledged the report and worked on remediation over the following months. The fix involved fully separating the Vertex AI Search component from Gemini Enterprise’s RAG pipeline, preventing the AI assistant from using the document retrieval system in ways that could be triggered by third-party content.
The patch was deployed in November 2025. Noma published the full technical disclosure on December 8, 2025, after confirming the fix was live. SecurityWeek, Infosecurity Magazine, Dark Reading, and Cybernews covered the disclosure.
What the Vulnerability Reveals About AI Document Tools
GeminiJack is a precise illustration of a structural risk that emerges when AI assistants are connected to cloud document repositories. The attack did not require a flaw in Google’s encryption, a breach of its authentication, or any compromise of its infrastructure. It required only that Gemini have access to the user’s documents and that a shared document could influence Gemini’s behavior.
Both conditions are core features, not bugs. An AI assistant that can read your documents and respond to instructions in those documents is functioning as designed. The vulnerability was not in those behaviors individually but in the combination: an AI that reads documents at scale, processes instructions embedded in those documents, and can make outbound network requests.
Cloud-based file and document tools increasingly embed AI features that connect to broader workspace data. Each such connection creates a potential prompt injection surface. A document that arrives from an untrusted sender is no longer just text to be read by a human: it is input that an AI system may act on across the user’s entire data corpus.
Browser-based file processing removes this attack surface by design. A tool that runs inside a browser tab using WebAssembly has no persistent connection to a document corpus, no AI assistant retrieving related files, and no outbound network path for exfiltrated content. The file is processed in isolation and returned to disk. The architectural constraints that make local processing private are the same ones that make prompt injection impossible.
Sources
- GeminiJack: the Google Gemini zero-click vulnerability that leaked Gmail, Calendar, and Docs data (Noma Security)
- Google Patches Gemini Enterprise Vulnerability Exposing Corporate Data (SecurityWeek)
- Google Fixes Gemini Enterprise Flaw That Exposed Corporate Data (Infosecurity Magazine)
- Gemini Enterprise No-Click Flaw Exposes Sensitive Data (Dark Reading)
- New GeminiJack zero-click flaw exposes corporate Gmail, Calendar, Docs (Cybernews)