Google Cloud Platform (GCP) BigQuery Cross Tenant Data Sources Exfiltration through Canvas Assistant

The vulnerability stems from a flaw in how Gemini in BigQuery handles tool execution and session persistence within shared Canvas environments. The attack begins with the creation of a malicious Gemini Agent configured with hidden system instructions that utilize the data extraction and joiner tool. By embedding directives that command the LLM to ignore user input and instead prioritize queries against a specific target path, such as victims-project.dataset.table, the attacker creates a trap. When this malicious agent is attached to a shared Canvas and sent to a victim, the UI obfuscates the underlying system instructions, making the assistant appear benign and connected only to the attacker’s disclosed data sources.

The core of the exfiltration relies on a synchronization inconsistency between the client-side UI and the backend server. When a victim interacts with the assistant, even with a neutral greeting, the LLM executes the hidden instructions, pulling private data from the victim’s BigQuery environment into the active Canvas session. While the victim may attempt to exit without saving to prevent data exposure, the attacker can simultaneously attempt to save the report from their own session. Although the UI generates a “saving failed” error message to the attacker, the victim’s private data is covertly persisted to the server’s version of the Canvas. This allows the attacker to bypass the failed save notification and retrieve the sensitive data by simply refreshing the report or querying the underlying server state, effectively turning the Canvas saving mechanism into a stealthy exfiltration channel.