Full Report
Gemini's Markdown renderer fails to sanitize HTML-like content within code blocks when there are premature code fence terminations (```). An example payload: ``` test ``` ``` ```` ... The payload exploited a parsing inconsistency. The Markdown processor would close the code block early, which allowed for the HTML to be rendered without a direct escape. Initially, this only allowed for a few specific tags. However, after an update, it allowed for direct HTML injection. To exploit this, they setup UI spoofing to get sensitive information, like creds. In Firefox, it prioritizes referrerpolicy attribute over server-set Referrer-Policy headers. This meant that Firefox could leak the full URL, including autofilled creds in query strings, via the referrer header. Pretty neat! The vulnerability doesn't allow for the injecting of JavaScript directly. Still, it's able to perform various attacks. To exploit this, I think Gemini would have to return malicious content. Although this is claimed and probably is "zero click", I don't think you can trigger this on arbitrary users.
Analysis Summary
# Vulnerability: HTML Injection and Credential Leakage in Google Gemini
## CVE Details
- **CVE ID**: Not explicitly assigned (Bug bounty discovery via Google VRP)
- **CVSS Score**: Estimated 7.5 - 8.1 (High)
- **CWE**: CWE-79 (Improper Neutralization of Input During Web Page Generation), CWE-116 (Improper Encoding or Escaping of Output)
## Affected Systems
- **Products**: Google Gemini (AI Chat Interface)
- **Versions**: All versions prior to the remediation in late 2023/early 2024.
- **Configurations**: UI rendered via Markdown; exploitation impact specifically heightened for users on the **Mozilla Firefox** browser.
## Vulnerability Description
The flaw originates from a parsing inconsistency in Gemini's Markdown renderer regarding code fences (triple backticks).
1. **Sanitization Failure**: The renderer failed to correctly handle nested or premature code fence terminations (e.g., ` test `).
2. **Parser Differential**: The Markdown processor would close a code block earlier than intended by the security filter. This allowed raw HTML-like content following the "closed" block to bypass sanitization and render directly in the browser.
3. **Escalation**: While an initial update restricted tags, a subsequent regression allowed for broader HTML injection. Although `<script>` tags were blocked (preventing direct XSS), the renderer allowed UI-spoofing tags and specific attributes.
## Exploitation
- **Status**: PoC demonstrated to Google; Bug Bounty awarded. No evidence of widespread exploitation in the wild.
- **Complexity**: Medium (Requires crafting specific Markdown payloads and social engineering for UI spoofing).
- **Attack Vector**: Network (Remote). The AI must be prompted or coerced into returning the malicious payload.
## Impact
- **Confidentiality**: High. In Firefox, the `referrerpolicy` attribute in injected HTML could override server-set headers, leaking full URLs (including potential credentials in query strings) to an attacker-controlled server.
- **Integrity**: Medium. Allows for UI spoofing and phishing within the Gemini interface.
- **Availability**: Low.
## Remediation
### Patches
- **Google Gemini Update**: Google has patched the Markdown rendering engine to properly sanitize content following code fences and prevent HTML injection. No user action is required for the web interface.
### Workarounds
- **Browser Security**: Ensure browsers are updated to the latest versions.
- **Header Enforcement**: Use strict Content Security Policies (CSP) to prevent unauthorized exfiltration of data to unknown origins.
## Detection
- **Indicators of Compromise**: Presence of abnormal Markdown structures in LLM outputs, such as unbalanced triple backticks followed by HTML tags (`<div>`, `<a>`, `<img>`).
- **Detection Methods**: Monitor for outbound requests from the Gemini domain to unrecognized third-party domains, particularly those triggered by user interaction with "cloaked" UI elements.
## References
- **Original Research**: hxxps[://]exigent07[.]com/posts/gemini-leak/
- **Google Vulnerability Reward Program**: hxxps[://]bughunters[.]google[.]com/