Gemini Live Voice Session Flaw Enables Tool Injection Through Ephemeral Tokens
What happened
A security flaw in how developers implement Google’s Gemini Live API can allow attackers to hijack browser-based AI voice sessions, override system prompts, and enable unauthorized tools through misconfigured ephemeral tokens. Security researcher Alvin Ferdiansyah found that Gemini Live uses persistent WebSocket connections for real-time voice assistants, with one endpoint intended for server-to-server calls and another constrained endpoint intended for browser clients using short-lived tokens.
The issue occurs when developers mint ephemeral tokens without locking down the session setup through live connect constraints. If those constraints are missing, the backend accepts whatever the client sends in its setup frame, including the model, system instructions, and available tools such as code execution, Google Search, and URL fetching. Google’s own reference implementation reportedly mints tokens without the constraint field, meaning teams that build from the example may inherit the unsafe configuration.
During testing, the researcher obtained a valid token through a simple registration flow, connected directly to the WebSocket, and sent a custom setup frame that changed the system instruction and enabled code execution. The server accepted the setup and ran a Python payload inside Google’s gVisor sandbox. The researcher verified real execution using nonce-based SHA-256 calculations tied to runtime details that could not be precomputed.
The gVisor sandbox limits the impact by blocking outbound network access and host escape, so the flaw is not described as a path to lateral movement. However, it can still allow unauthorized tool use, sandboxed compute abuse, prompt and tool injection, and billed API resource consumption through token renewal. The recommended fix is to populate the token-minting call with live connect constraints that lock the intended model, system prompt, and tools server-side.
Who is affected
Developers and companies building browser-facing Gemini Live integrations are affected if they use ephemeral tokens without setting strict live connect constraints.
Products based on Google’s reference implementation may also be exposed if they copied the token-minting logic without adding server-side constraints for the model, system instructions, and tools.
Users of affected AI voice applications may be indirectly impacted if attackers can abuse a valid session to override intended assistant behavior, enable unauthorized tools, or consume backend resources.
Why CISOs should care
This issue shows how AI application security depends not only on the model but also on session design, token scope, and tool permissions. A token can prove that a user is allowed to connect, but that does not mean the user should be allowed to define what the AI session can do.
For CISOs, the tool-injection risk is the key concern. If browser clients can control tools such as code execution, search, or URL fetching, attackers may turn an ordinary voice assistant session into an unauthorized execution or reconnaissance path.
The reference implementation angle is also important. Teams often build quickly from vendor examples, but sample code may omit security constraints that are essential for production deployments.
The broader lesson is that AI agents and voice assistants need the same least-privilege design as traditional applications. Session parameters, system prompts, models, and tools should be enforced by the backend, not trusted from the client.
3 practical actions
Lock Gemini Live session setup server-side: Developers should populate live connect constraints when minting ephemeral tokens, including the intended model, system prompt, and allowed tools. Empty tool arrays should be used where tools are not required.
Review browser-facing AI integrations: CISOs should inventory Gemini Live and other real-time AI applications that rely on client-side setup frames, short-lived tokens, WebSockets, or tool-enabled sessions.
Treat AI tools as privileged capabilities: Code execution, Google Search, URL fetching, and similar functions should require explicit backend authorization, logging, and monitoring rather than being controlled by browser clients.
More cybersecurity news:


