Google Gemini for Workspace can be used to create brief email summaries that appear legitimate but contain malicious instructions and messages directing users to phishing sites.
This attack uses prompt injections hidden in emails, which Gemini follows when generating a summary of the message.
Information security specialist Marco Figueroa discussed the vulnerability of Google Gemini to prompt injections. Figueroa is the manager of the 0Din (0Day Investigative Network) bug bounty program. This program was launched by Mozilla in the summer of 2024 and serves as a reward program for identifying vulnerabilities in large language models (LLM) and other deep learning technologies and tools.
The attack is based on crafting an email with an invisible directive for Gemini. The attacker can conceal a malicious instruction for the AI within the email text, at the end of the message, by using HTML and CSS to set the font size to zero or color it white.
Such a malicious instruction will not be displayed in Gmail and will not be noticeable to a person. However, since there are no suspicious attachments or links in the email, the message is highly likely to reach the recipient’s inbox.
If the recipient opens the email and asks Gemini to create a brief summary, the AI will read the invisible instruction and execute it.
In Figueroa’s example, Gemini follows hidden instructions in the email and displays a warning to the user that their Gmail password may have been compromised. This message is accompanied by a fake customer support phone number.
Since users generally trust the results provided by Gemini, which is part of the Google Workspace functionality, there is a high likelihood that such a warning will be perceived as genuine.
An expert suggests several methods for detecting and mitigating such attacks. One of these involves removing, neutralizing, or ignoring content in emails that is formatted as hidden text. Another method involves using a post-processing filter that scans the Gemini output for warnings, URLs, or phone numbers, flagging such messages for further review.
Additionally, users should remember that the brief summaries from Gemini should not be considered reliable, especially when it comes to any warnings related to security.
Google representatives assured the media that the company is working on protection against such attacks.
“We are continuously strengthening our already robust defenses by conducting red team tests, during which our models are trained to counteract such attacks,” Google representatives report.
Google also noted that the company is not aware of any cases of Gemini manipulation as described in Figueroa’s report.
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →