It’s barely been out for a month and already security researchers have discovered a prompt injection vulnerability in Google’s Gemini command line interface (CLI) AI agent that could be exploited to steal sensitive data such as credentials and API keys from unwary developers.
Gemini CLI integrates Google’s LLM with traditional command line tools such as PowerShell or Bash. This allows developers to use natural language prompts to speed up tasks such as analyzing and debugging code, generating documentation, and understanding new repositories (“repos”).
However, within two days of its release on June 25, UK cloud threat detection vendor Tracebit had already spotted the software’s first security weaknesses, which developers might encounter when studying unverified open source repos for the first time.
In the proof of concept, the malicious prompts were delivered using an innocuous looking README.md GNU Public License file of the sort that would be part of any open source repo.
The researchers then uncovered a combination of smaller weaknesses that could be exploited together to run malicious shell commands without the user’s knowledge.
The first weakness is that Gemini CLI sensibly allows users to allowlist frequent commands — for example, grep — to avoid constant do you want to allow this? re-prompts. It’s a helpful facility, except that Gemini CLI’s allowlisting couldn’t distinguish between the legitimate grep and a malicious command masquerading as grep.
Because minimal validation was performed, this would allow an attacker to execute any malicious command they wanted, all without the need to re-prompt.
“[That could include] a grep command followed by a command to silently exfiltrate all the user’s environment variables (possibly containing secrets) to a remote server. The malicious command could be anything (installing a remote shell, deleting files, etc),” wrote Tracebit’s Sam Cox.
Granted, the command would execute without a re-prompt, but wouldn’t the user still notice it as it runs in the CLI? If so, this would expose the attacker even if the command had successfully run.
Unfortunately, Tracebit discovered that malicious commands could be hidden in Gemini CLI by packing the command line with blank characters, pushing the malicious commands out of the user’s sight.
“It’s the combination of prompt injection, poor UX considerations that don’t surface risky commands, and insufficient validation on risky commands. When combined, the effects are significant and undetectable,” said Cox.  
The same attack failed on rival tools: “When attempting this attack against other AI code tools, we found multiple layers of protections that made it impossible,” Tracebit found.
AI tools are all about speeding up and automating tedious and time consuming tasks. However, they also do the same thing for prompt injection attackers. The exploit documented by Tracebit involves assumptions, but not unreasonable ones, that an attacker could exploit under real-world conditions. Meanwhile, the hunt is already underway to find prompt injection flaws across a wide range of contexts and tools.
In short, while Tracebit’s flaw is the first discovered in Gemini CLI, it is probably not the last. The flaws, classified by Google as a high severity (V1) and priority fix (P1), were patched in Gemini CLI v0.1.14 released on July 25, which is why we’re hearing about it now.
Beyond updating to the patched version of Gemini CLI, the best advice is always to run tools in sandbox mode to isolate them from the host system. Google’s response to the disclosure, sent to Tracebit, underlined the latter point:
“Our security model for the CLI is centered on providing robust, multi-layered sandboxing. We offer integrations with Docker, Podman, and macOS Seatbelt, and even provide pre-built containers that Gemini CLI can use automatically for seamless protection,” the Google Vulnerability Disclosure Program (VDP) team told Tracebit. “For any user who chooses not to use sandboxing, we ensure this is highly visible by displaying a persistent warning in red text throughout their session.” 

John E. Dunn is a veteran cybersecurity reporter, specializing in crisis response, ransomware, data breaches, encryption, quantum computing and QKD, DevSecOps, managed services, cybersecurity in education, retail cybersecurity, vulnerability reporting, and cybersecurity ethics.
John is a former editor of the UK editions of Personal Computer Magazine, LAN Magazine, and Network World. In 2003 he co-founded Techworld, since when he has covered cybersecurity and business computing for a range of publications including Computerworld, Forbes, Naked Security, The Register, and The Times.

source

In the ever-evolving world of search engines, Google finds itself at a pivotal crossroads, grappling with how to prioritize user satisfaction while sustaining the broader web ecosystem that feeds its algorithms. Recent statements from Google’s search team highlight this tension, as the company navigates complaints from publishers and SEO professionals about declining traffic and perceived biases in search results. At the heart of the discussion is Gary Illyes, a prominent Google analyst, who candidly admitted during a session at Search Central Live Deep Dive 2025 that the tech giant is “still figuring out” this delicate balance.
Illyes’ remarks came in response to a question from Kenichi Suzuki about measuring high-quality traffic and user satisfaction. According to reports from Search Engine Journal, Illyes emphasized that Google aims to deliver results that genuinely meet user needs, even if it means some websites see reduced visibility. This admission underscores a broader shift in Google’s strategy, where user-centric metrics like satisfaction scores are increasingly pitted against the economic interests of content creators who rely on search traffic for revenue.
Shifting Priorities in Search Algorithms
The conversation ties into Google’s recent core updates, which have stirred significant volatility in rankings. For instance, the June 2025 core update, detailed in analyses from Search Engine Land, was described as a “big update” that rewarded sites with substantial recoveries from prior penalties, particularly those hit by helpful content and review system changes. Data providers noted partial rebounds for some domains, suggesting Google’s algorithms are refining their assessment of quality to favor depth over superficial optimization.
Yet, this refinement has not been without controversy. Publishers argue that Google’s emphasis on user needs—such as quick, accurate answers—often results in zero-click searches, where information is surfaced directly on the results page, siphoning traffic from original sources. Posts on X (formerly Twitter) reflect this sentiment, with SEO experts like Charles Floate criticizing Google for scraping content while discouraging similar practices among webmasters, highlighting a perceived hypocrisy in how the ecosystem is managed.
The Metrics Behind User Satisfaction
Delving deeper, Google’s approach involves sophisticated metrics to gauge user satisfaction, including click-through rates, dwell time, and feedback loops from human raters. Illyes explained that high-quality traffic isn’t just about volume but about relevance and user engagement, a point echoed in the company’s March 2024 spam update announcement on its official blog, which aimed to reduce low-quality, unoriginal content. This update, as covered by Google’s own blog, promised fewer spammy results, aligning with efforts to enhance trustworthiness.
However, balancing this with ecosystem health remains elusive. Illyes acknowledged the challenge of ensuring that rewarding user-focused content doesn’t inadvertently harm smaller publishers who produce niche, valuable material but lack the authority of big brands. Insights from X posts, such as those from Cyrus SEO discussing updates to Google’s Quality Rater Guidelines, suggest a potential leveling of the playing field, where high-quality pages from non-brand sites could gain more traction if they meet user needs effectively.
Implications for Publishers and SEO Strategies
For industry insiders, these developments signal a need to adapt strategies beyond traditional SEO tactics. The June 2025 update analysis in Search Engine Journal points to two key changes: enhanced evaluation of E-E-A-T (experience, expertise, authoritativeness, trustworthiness) and a crackdown on “fluff” content. Experts like Marie Haynes, referenced in Aleyda Solis’ X thread, have analyzed pages that improved post-update, noting that authentic, in-depth content outperformed keyword-stuffed alternatives.
This push for quality over quantity could reshape content creation, encouraging publishers to invest in original research and user-centric formats. Yet, as Eugene Ng noted on X, the rise of AI-driven searches exacerbates traffic declines, with Google crawling more but referring less, prompting calls for regulatory scrutiny.
Looking Ahead: Google’s Ongoing Evolution
Google’s leadership, including CEO Sundar Pichai, has stressed urgency in internal meetings, as reported by CNBC, urging faster innovation amid high stakes for 2025. Announcements from Google I/O 2025, detailed on Google’s blog, introduced AI enhancements that promise better user experiences but raise questions about ecosystem fairness.
Ultimately, Illyes’ candidness reveals Google’s work-in-progress status on this balance. As the company refines its algorithms—evident in the completed rollout of the June core update per Search Engine Land—publishers must prioritize genuine value to thrive. The web’s future hinges on whether Google can harmonize user delight with a sustainable content economy, a puzzle that continues to unfold in real-time discussions across platforms like X and industry forums.
Subscribe for Updates
Search engine news, tips, and updates for the search professional.
Help us improve our content by reporting any issues you find.
Get the free daily newsletter read by decision makers
Get our media kit
Deliver your marketing message directly to decision makers.

source

THE DECODER
Artificial Intelligence: News, Business, Research
Google waited nearly two years to reveal that its Android Earthquake Alerts system (AEA) failed during the devastating 2023 earthquakes in Turkey.
“I’m really frustrated that it took so long,” Elizabeth Reddy of the Colorado School of Mines told BBC News. “We’re not talking about a little event – people died – and we didn’t see a performance of this warning in the way we would like.”
When the first major quake hit in February 2023, the AEA system estimated its magnitude at only 4.5 to 4.9 on the moment magnitude scale. In reality, it was a 7.8—one of the most powerful earthquakes in the region’s history.
Because of this severe miscalculation, only 469 “Take Action” alerts were sent to people in the immediate danger zone. This is the only alert level that wakes users even if their phone is set to silent.
Check your inbox or spam folder to confirm your subscription.

The system also underestimated the second major quake that struck the same day. Just 8,158 “Take Action” alerts and fewer than four million “Be Aware” notifications were sent out.
Later simulations showed that as many as ten million people should have received a critical warning. Only after Google updated its algorithms did it become clear that the system could have correctly identified the severity of the quakes and warned those at risk in time.
Google’s admission, published in the journal Science, contradicts earlier statements. In 2023, Google told the BBC that the system had “worked well.” Now, more than two years later, the company now says: “Subsequent analysis of the event revealed several limitations of the detection algorithms, which have since been improved.”
According to Google, three main issues led to the failure: a data evaluation window that was too short, which caused the system to miss the full strength of the quake; too many unreliable smartphones that produced faulty or “noisy” sensor data due to movement, dropping, or other interference, making it hard to distinguish real earthquakes from random motion; and widespread device vibration triggered by weaker alerts, which further confused the system’s detection algorithms. Google says it has since addressed all three problems.
AEA still relies on classic signal‑processing rules, but Google is now adding AI‑driven forecasting models—an expansion that increases its public‑safety responsibility. Yet its record on disclosure remains mixed: the warning network now spans 98 countries, but Google has released no public data on how it performed during the 2025 Myanmar earthquake.
Check your inbox or spam folder to confirm your subscription.

Check your inbox or spam folder to confirm your subscription.

source

A Pixel 6a shows exactly why Google is offering a free battery replacement on some units.
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:

source