- Researchers discover Gemini AI prompt injection via Google Calendar invites
- Attackers could exfiltrate private meeting data with minimal user interaction
- Vulnerability has been mitigated, reducing immediate exploitation risk
Security researchers found yet another way to run prompt injection attacks on Google’s Gemini AI, this time to exfiltrate sensitive Google Calendar data.
Prompt injection is a type of attack in which the malicious actor hides a prompt in an otherwise benign message. When the victim tells their AI to analyze the message (or otherwise use it as data in its work), the AI ends up running the prompt and doing the actor’s bidding.
At its core, prompt injection is possible because AIs cannot distinguish between the instruction and the data used to execute that instruction.
Abusing Gemini and Calendar
So far, prompt injection attacks were limited to email messages, and the instruction to summarize, or read emails. In the latest research, Miggo Security said the same can be done through Google Calendar.
When a person creates a calendar entry, they can invite other participants by adding their email address. In this scenario, a threat actor can create a calendar entry that contains the malicious prompt (to exfiltrate calendar data) and invite the victim. The invitation is then sent in the form of an email, containing the prompts. The next step is for the victim to instruct their AI to check for upcoming events.
The AI will parse the prompt, create a new Calendar event with the details, and add the attacker, directly granting them access to sensitive information.
“This bypass enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction,” the researchers told The Hacker News.
“Behind the scenes, however, Gemini created a new calendar event and wrote a full summary of our target user’s private meetings in the event’s description,” Miggo said. “In many enterprise calendar configurations, the new event was visible to the attacker, allowing them to read the exfiltrated private data without the target user ever taking any action.”
The issue has since been mitigated, Miggo confirmed.
Via TheHackerNews
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
