- Researchers discover Gemini AI prompt injection via Google Calendar invitations
- Attackers could exfiltrate private meeting data with minimal user interaction
- The vulnerability has been mitigated, reducing the immediate risk of exploitation
Security researchers found yet another way to run instant injection attacks on Google’s Gemini AI, this time to exfiltrate sensitive Google Calendar data.
Prompt injection is a form of attack where the malicious actor hides a prompt in an otherwise benign message. When the victim tells their AI to analyze the message (or otherwise use it as data in its work), the AI ends up running the prompt and doing the actor’s bidding.
At its core, fast injection is possible because AIs cannot distinguish between the instruction and the data used to execute that instruction.
Abuses Gemini and Calendar
Until now, rapid injection attacks were limited to email messages and the instruction to summarize or read emails. In the latest research, Miggo Security said the same can be done via Google Calendar.
When a person creates a calendar entry, they can invite other participants by adding their email address. In this scenario, a threat actor can create a calendar entry containing the malicious prompt (to exfiltrate calendar data) and invite the victim. The invitation is then sent in the form of an email containing the notifications. The next step is for the victim to instruct their AI to check for upcoming events.
The AI will analyze the prompt, create a new calendar event with the details and add the attacker directly giving them access to sensitive information.
“This bypass enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction,” the researchers told The Hacker News.
“However, behind the scenes, Gemini created a new calendar event and wrote a complete summary of our target user’s private meetings in the event description,” Miggo said. “In many enterprise calendar configurations, the new event was visible to the attacker, allowing them to read the exfiltrated private data without the target user ever taking any action.”
The problem has since been fixed, Miggo confirmed.
Via TheHackerNews
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
