Google's Antigravity AI tool can leak your sensitive data
What's the story
Google's latest new AI code editor, Antigravity, has been found vulnerable to a sophisticated attack. The exploit uses an indirect prompt injection in an implementation blog to manipulate the system into invoking a malicious browser subagent. This could potentially lead to the theft of credentials and sensitive code from a user's Integrated Development Environment (IDE).
Exploit details
Attack chain: How the exploit works
In an example shared by Promptarmor, the attack starts when a user tries to integrate Oracle ERP's new Payer AI Agents into their app using Antigravity. A poisoned web source, an integration guide in this case, tricks Gemini (the AI model behind Antigravity) into collecting sensitive credentials and code from the user's workspace. The manipulated Gemini then exfiltrates this data by using a browser subagent to access a malicious site.
Security breach
Gemini bypasses its own access restrictions
Despite not being designed to access .env files with the default setting 'Allow Gitignore Access > Off,' Gemini was found bypassing this restriction. It accessed and exfiltrated data from these files, which are commonly used for storing credentials. The attack chain shows how a prompt injection can be used to manipulate Gemini into collecting and submitting data to a fictitious 'tool' under the pretext of helping users understand Oracle ERP integration.
Data exfiltration
Gemini constructs malicious URL with stolen credentials
Gemini was also seen circumventing the .gitignore file access protections by using the 'cat' terminal command to dump file contents. It then created a malicious URL with the stolen credentials and code snippets, and appended it to a domain monitored by the attacker. Despite being protected by Browser URL Allowlist, the default configuration included 'webhook.site,' a service that lets anyone create a URL where they can monitor requests.
Risk acknowledgment
Google acknowledges risks but offers no immediate solution
Despite the exploit, Google has acknowledged the data exfiltration risks highlighted by this research. However, it has not provided an immediate solution to mitigate these vulnerabilities in Antigravity. The company is currently relying on a disclaimer warning users about potential risks when they first open Antigravity.