A vulnerability in browser-based deployments of Google’s Gemini Live API allowed attackers to hijack AI voice sessions when ephemeral WebSocket tokens were issued without server-side live_connect_constraints. Researcher Alvin Ferdiansyah reported that affected applications could let a user self-register, obtain a short-lived token, connect directly to Google’s WebSocket endpoint, and submit an attacker-controlled setup frame that overrode the intended system instruction and enabled unauthorized tools such as codeExecution.
In proof-of-concept testing, the manipulated session returned setupComplete and successfully executed arbitrary Python code inside Google’s gVisor sandbox with an OUTCOME_OK result. While gVisor reportedly blocked host escape and outbound network access, the flaw still exposed organizations to sandboxed compute abuse, reconnaissance, prompt tampering, and potentially ongoing billed API consumption through token renewal. The reported remediation is to bind tokens to fixed session parameters during minting by populating live_connect_constraints.bidi_generate_content_setup so the backend enforces the model, system prompt, and allowed tools.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Researcher Alvin Ferdiansyah identified a misconfiguration in Gemini Live ephemeral token minting that left live session setup unconstrained, then used a client-controlled setup frame to override system instructions, enable the codeExecution tool, and successfully run Python code in Google's gVisor-based sandbox.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourceinfosecwriteups.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.