- Researchers discover Gemini AI prompt injection via Google Calendar invites
- Attackers could exfiltrate private meeting data with minimal user interaction
- Vulnerability has been mitigated, reducing immediate exploitation risk
Security researchers have identified a new method for executing prompt injection attacks on Google’s Gemini AI, specifically targeting sensitive Google Calendar data.
Prompt injection involves embedding a malicious prompt within an otherwise harmless message. When the victim instructs their AI to analyze the message, the AI inadvertently executes the prompt, fulfilling the attacker’s intent.
This vulnerability arises from the AI's inability to differentiate between instructions and the data used to execute those instructions.
Exploiting Gemini and Calendar
Previously, prompt injection attacks were confined to email communications. However, recent findings from Miggo Security indicate that similar tactics can be employed through Google Calendar.
In this scenario, an attacker can create a calendar event containing a malicious prompt and invite the victim by adding their email address. The invitation is sent as an email, which includes the harmful prompts. The victim's next action—asking their AI to check for upcoming events—triggers the AI to process the prompt, creating a new calendar event that includes the attacker, thereby granting them access to sensitive information.
“This bypass enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction,” the researchers reported to The Hacker News.
“Behind the scenes, however, Gemini created a new calendar event and wrote a full summary of our target user's private meetings in the event's description,” Miggo explained. “In many enterprise calendar setups, the new event was visible to the attacker, allowing them to read the exfiltrated private data without the target user ever taking any action.”
The issue has since been addressed, according to Miggo.
Via TheHackerNews