Alvin Ferdiansyah discovered that Google's reference implementation for Gemini Live API ephemeral tokens omitted the live connect constraints field, allowing attackers to hijack browser based AI voice sessions by send... The fix: populate live connect constraints.bidi generate content setup during token minting with...

Create a landscape editorial hero image for this Studio Global article: Search & fact-check with cited sources for What is the Gemini Live API flaw discovered by Alvin Ferdiansyah, how does it allow attackers to. Article summary: ## The Vulnerability. Topic tags: general, documentation, general web, user generated. Style: premium digital editorial illustration, source-backed research mood, clean composition, high detail, modern web publication hero. Use reference image context only for broad subject, composition, and topical grounding; do not copy the exact image. Avoid: logos, brand marks, copyrighted characters, real person likenesses, fake screenshots, UI text, readable text, watermarks, charts with fake numbers, clickbait thumbnails, icons, and tiny thumbnail layouts. Make it useful as an illustrative visual, not as factual evidence.
In late June 2026, security researcher Alvin Ferdiansyah published a detailed breakdown of what he described as a critical misconfiguration in Google's Gemini Live API ephemeral token system. The flaw, if confirmed, allows an attacker who obtains a short-lived WebSocket token to hijack a browser-based AI voice session — controlling the model, system prompt, and even the tools the session can execute.
The core of the vulnerability is a missing security field during token minting. Here is what we know, what is still unconfirmed, and how developers can protect their deployments right now.
The Gemini Live API supports browser-to-server WebSocket connections using ephemeral tokens — short-lived authentication tokens that expire quickly and can be restricted to specific uses . These tokens are minted by a backend server and then handed to the client, which uses them to connect directly to the Gemini API without exposing the underlying API key.
Google documentation explains that ephemeral tokens are designed for client-to-server implementations where security is a concern, because even if extracted from a browser, the token's short lifetime limits damage . The endpoint for these constrained connections is
BidiGenerateContentConstrained, which accepts the ephemeral token as an access_token query parameter .
live_connect_constraints fieldAccording to Ferdiansyah's write-up, the reference implementation for token minting omitted the live_connect_constraints field . This field is supposed to contain a
bidi_generate_content_setup object that binds the token to a specific model, system instruction, and set of tools.
When live_connect_constraints is left empty or absent, no constraints are enforced. An attacker who obtains the ephemeral token can then send a client-controlled setup frame specifying any model, system prompt, and tools they choose. The server, lacking token-bound values to validate against, accepts the attacker's configuration.
Important caveat: The provided sources do not include Google's official documentation for
live_connect_constraints, a CVE, or a Google security advisory confirming this behavior. The claim comes from Ferdiansyah's Medium post and should be treated as unverified but plausible.
If the vulnerability is real, the consequences are significant for any application using the Gemini Live API in a browser context:
Developers on the Google AI forum have reported issues with ephemeral tokens ignoring system instructions and failing to work as expected with constrained endpoints, suggesting the broader ecosystem is still maturing .
The remediation described by Ferdiansyah is straightforward: populate the live_connect_constraints.bidi_generate_content_setup
model — The exact Gemini model to use (e.g., models/gemini-2.5-flash-native-audio-latest).system_instruction — The intended system prompt, structured as parts containing text.tools — An empty array [] or only explicitly allowed tools, preventing client-side injection.Here is the illustrative Python code from Ferdiansyah's write-up :
token = gemini_client.auth_tokens.create({
"uses": 1,
"expire_time": now + timedelta(seconds=60),
"new_session_expire_time": now + timedelta(seconds=60),
"live_connect_constraints": {
"bidi_generate_content_setup": {
"model": "models/gemini-2.5-flash-native-audio-latest",
"system_instruction": {
"parts": [{"text": "You are a customer support assistant..."}]
},
"tools": []
}
}
})Note: Because
live_connect_constraintsis not documented in the official Google API reference provided in the sources, this example is based on Ferdiansyah's own description and should be tested against the actual API before production use.
The following key points remain unverified by the provided sources:
live_connect_constraints.BidiGenerateContentConstrained endpoint when receiving an unconstrained token is not documented in the provided official references Until Google publishes an official advisory, the safest approach is to treat the vulnerability as plausible and apply the fix proactively:
live_connect_constraints or its equivalent field.newSessionExpireTime of around 60 seconds to limit the window for token theft The Gemini Live API is a powerful tool for building real-time voice and video experiences. A single missing field in the token minting process should not undermine that capability — but developers must ensure their implementations are complete.
This article was fact-checked against 27 provided sources, including official Google documentation, community forum discussions, and the original researcher's write-up. Key claims from the researcher could not be independently verified from official sources at the time of publication.
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
Alvin Ferdiansyah discovered that Google's reference implementation for Gemini Live API ephemeral tokens omitted the live connect constraints field, allowing attackers to hijack browser based AI voice sessions by send...
Alvin Ferdiansyah discovered that Google's reference implementation for Gemini Live API ephemeral tokens omitted the live connect constraints field, allowing attackers to hijack browser based AI voice sessions by send... The fix: populate live connect constraints.bidi generate content setup during token minting with the intended model, system prompt, and an empty or restricted tools array.
Official Google documentation and a CVE are not yet available, so developers should treat the vulnerability as plausible and apply the remediation proactively.