Google Gemini for Workspace can be used to create brief email summaries that appear legitimate but contain malicious instructions and messages directing users to phishing sites.
This attack uses prompt injections hidden in emails, which Gemini follows when generating a summary of the message.
Information security specialist Marco Figueroa discussed the vulnerability of Google Gemini to prompt injections. Figueroa is the manager of the 0Din (0Day Investigative Network) bug bounty program. This program was launched by Mozilla in the summer of 2024 and serves as a reward program for identifying vulnerabilities in large language models (LLM) and other deep learning technologies and tools.
The attack is based on crafting an email with an invisible directive for Gemini. The attacker can conceal a malicious instruction for the AI within the email text, at the end of the message, by using HTML and CSS to set the font size to zero or color it white.
Such a malicious instruction will not be displayed in Gmail and will not be noticeable to a person. However, since there are no suspicious attachments or links in the email, the message is highly likely to reach the recipient’s inbox.
If the recipient opens the email and asks Gemini to create a brief summary, the AI will read the invisible instruction and execute it.
In Figueroa’s example, Gemini follows hidden instructions in the email and displays a warning to the user that their Gmail password may have been compromised. This message is accompanied by a fake customer support phone number.
Since users generally trust the results provided by Gemini, which is part of the Google Workspace functionality, there is a high likelihood that such a warning will be perceived as genuine.
An expert suggests several methods for detecting and mitigating such attacks. One of these involves removing, neutralizing, or ignoring content in emails that is formatted as hidden text. Another method involves using a post-processing filter that scans the Gemini output for warnings, URLs, or phone numbers, flagging such messages for further review.
Additionally, users should remember that the brief summaries from Gemini should not be considered reliable, especially when it comes to any warnings related to security.
Google representatives assured the media that the company is working on protection against such attacks.
“We are continuously strengthening our already robust defenses by conducting red team tests, during which our models are trained to counteract such attacks,” Google representatives report.
Google also noted that the company is not aware of any cases of Gemini manipulation as described in Figueroa’s report.
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →