Google developers have fixed a bug that allowed malicious Google Calendar invitations to remotely take control of Gemini agents running on a victim’s device and steal user data.
Gemini is Google’s large language model (LLM), integrated into Android, Google web services, and Google Workspace apps with access to Gmail, Calendar, and Google Home.
SafeBreach researchers discovered that by sending a victim a Google Calendar invite with an embedded prompt injection (which can be hidden, for example, in the event title), attackers could extract email contents and information from Calendar, track the user’s location, control “smart” home devices via Google Home, open apps on Android, and initiate Zoom video calls.
In their report, the researchers emphasize that this attack did not require white-box access to the model, nor was it blocked by prompt filters or other Gemini safeguards.
The attack began by sending the victim an invitation to an event via Google Calendar, with the event title containing a malicious prompt. As soon as the victim interacted with Gemini—for example, by asking “What events do I have scheduled in my calendar for today?”—the AI would fetch the list of events from Calendar, including the malicious one.
As a result, the malicious prompt became part of Gemini’s context window, and the assistant treated it as part of the conversation, not realizing that the instruction was hostile to the user.
Depending on the prompt used, attackers could launch various tools or agents to delete or edit Calendar events, open URLs to determine the victim’s IP address, join Zoom calls, use Google Home to control devices, and access emails to exfiltrate data.
Researchers note that an attacker could send six invitations, adding the malicious prompt only to the last one, so the attack would succeed while maintaining a degree of stealth.
The catch is that Calendar Events displays only the five most recent events, with the rest hidden behind a “Show more” button. However, when queried, Gemini parses all of them, including the malicious one. The user won’t see the malicious title unless they manually expand the events list.
It’s worth noting that last month infosec specialist Marco Figueroa reported on a Google Gemini vulnerability to prompt injections. Figueroa is the bug bounty program manager for 0Din (0Day Investigative Network). This program was launched by Mozilla in the summer of 2024 and is a bounty program for vulnerabilities in large language models (LLMs) and other deep-learning technologies and tools.
The specialist wrote that Google Gemini for Workspace can be used to create brief summaries of emails that look legitimate but contain malicious instructions and messages directing users to phishing sites.
Google representatives responded to the publication of the SafeBreach report, stating that the company is continuously implementing new protective mechanisms for Gemini aimed at a wide range of attacks. It is emphasized that many of these safeguards are slated for imminent deployment or are already in the process of being rolled out.
“We fixed this issue before it could be exploited, thanks to the excellent work and responsible disclosure by Ben Nassi and his team,” Andy Wen, Senior Director of Security Product Management for Google Workspace, told Bleeping Computer. “This research helped us better understand new attack vectors and accelerated the rollout of new, advanced safeguards that are now in place protecting users. It’s a great example of why red-teaming and cross-industry collaboration are so important.”