Google Antigravity Exfiltrates Data

Summary

Antigravity is Google’s new agentic code editor. In this article, we demonstrate how an indirect prompt injection can manipulate Gemini to invoke a malicious browser subagent in order to steal credentials and sensitive code from a user’s IDE.Google’s approach is to include a disclaimer about the existing risks, which we address later in the article. Let's consider a use case in which a user would like to integrate Oracle ERP’s new Payer AI Agents into their application, and is going to use Antigravity to do so. In this attack chain, we illustrate that a poisoned web source (an integration guide) can manipulate Gemini into (a) collecting sensitive credentials and code from the user’s workspace, and (b) exfiltrating that data by using a browser subagent to browse to a malicious site.Note: Gemini is not supposed to have access to .env files in this scenario (with the default setting ‘Allow Gitignore Access > Off’). However, we show that Gemini bypasses its own setting to get access and subsequently exfiltrate that data. The user provides Gemini with a reference implementation guide they found online for integrating Oracle ERP’s new AI Payer Agents feature.Antigravity opens the referenced site and encounters the attacker’s prompt injection hidden in 1 point font.The prompt injection coerces AI agents to:Collect code snippets and credentials from the user's codebase.b. Create a dangerous URL using a domain that allows an attacker to capture network traffic logs and append credentials and code snippets to the request.c. Activate a browser subagent to access the malicious URL, thus exfiltrating the data.Gemini is manipulated by the attacker’s injection to exfiltrate confidential .env variables. Gemini reads the prompt injection: Gemini ingests the prompt injection and is manipulated into believing that it must collect and submit data to a fictitious ‘tool’ to help the user understand the Oracle ERP integration. b. Gemini gathers data to exfiltrate: Gemini begins to gather ...