There is no data leak until a user clicks a suspicious link in the AI output. Clicking a suggested prompt alone does not have any risk of leaking data.
The bug is that Google’s own website outside of the context of user generated content becomes the source of the link and that alone removes a large amount of the suspicion.
I think the author of this attack could easily modify it to be way worse.
Just change it to inject a message saying “you have run out of creator studio AI credits, please add on a Geminin Creator Plus plan to continue. You will be taken to a third party billing service to complete the transaction” and then link to a malicious billing page.
I find this apathetic response from Google to be pretty confusing coming from one of the big AI companies making a big stink about AI safety. How about trying practicing what you preach and make your AI safe? Or were those all dog whistles for regulatory capture?
The bug is that Google’s own website outside of the context of user generated content becomes the source of the link and that alone removes a large amount of the suspicion.
I think the author of this attack could easily modify it to be way worse.
Just change it to inject a message saying “you have run out of creator studio AI credits, please add on a Geminin Creator Plus plan to continue. You will be taken to a third party billing service to complete the transaction” and then link to a malicious billing page.
I find this apathetic response from Google to be pretty confusing coming from one of the big AI companies making a big stink about AI safety. How about trying practicing what you preach and make your AI safe? Or were those all dog whistles for regulatory capture?