34
Researchers found a serious safety flaw in Google Calendar that might enable hijacking Gemini brokers by way of malicious invitations. Google patched the flaw following the bug report, making certain customers’ safety.
Malicious Invitations Might Exploit Google Calendar Flaw To Leak Knowledge
Researchers from SafeBreach found a critical vulnerability in Google Calendar that might danger customers’ safety. As elaborated of their weblog put up, the safety flaw might enable an attacker to hijack Gemini brokers on the goal system by way of maliciously crafted Google Calendar invitations. In flip, this may enable the attacker to entry delicate knowledge by way of Gemini with out requiring person interplay.
Briefly, the assault begins when the attacker sends a malicious Calendar invite to the goal person. The assault includes embedding the malicious immediate throughout the invite’s occasion title, so it may be pulled up after the goal person asks Gemini in regards to the calendar invitations.
As Gemini executes the malicious immediate, contemplating it part of the context, it could carry out the required malicious motion with out figuring out the intent. This immediate might require any malicious operate from the attacker, comparable to meddling with Calendar occasions, extracting the person’s IP tackle by way of a URL, or interacting with different brokers, comparable to Google Dwelling, Messages, Cellphone, or different functions like Zoom, performing numerous actions, like becoming a member of a name or fetching knowledge, with out person enter.
The next diagram illustrates the assault movement.
Supply: SafeBreach
Of their research, the researchers demonstrated “context poisoning” – a method the place the LLM is tricked into contemplating the complete dialog historical past by sending one question at a time. Injecting a malicious instruction into an extended dialog would trick the mannequin into executing the exercise. The researchers carried out numerous varieties of assaults this manner, comparable to spamming the person, producing hateful content material, invoking instruments and apps, visiting URLs, and exfiltrating knowledge.
Google Deployed Mitigations
Following the researchers’ report, Google acknowledged their efforts and deployed mitigation methods to forestall promptware assaults. In response to their weblog put up revealed in June 2025, Google strengthened the most recent Gemini fashions (v2.5 and later) with layered protection methods to forestall promptware. These embrace:
- Immediate injection content material classifiers: The mannequin analyzes the directions and avoids responding to malicious directions.
- Safety thought reinforcement: In case of detecting partial directions as malicious, comparable to in immediate injection assaults, the mannequin solely focuses on the duty, ignoring malicious directions.
- Markdown sanitization and suspicious URL redaction: The mannequin analyzes exterior URLs and removes them from the output upon detecting malicious hyperlinks.
- Person affirmation framework: For directions together with suspicious actions, like deleting Calendar occasions, the mannequin asks for person affirmation earlier than performing the motion.
- Finish-user safety mitigation notifications: Customers obtain notifications highlighting Gemini’s actions upon detecting doubtlessly malicious parts, such because the removing of suspicious URLs.
Promptware Threats Are Rising
The report from SafeBreach, in line with the researchers, doesn’t particularly apply to Gemini. As a substitute, it signifies the widespread influence of the rising menace within the cybersecurity world – promptware. As AI utilization turns into frequent, promptware threats acquire much more significance for well timed mitigation.
Nonetheless, SafeBreah isn’t the primary to level out this menace. In 2024, a staff of researchers shared an in depth analysis paper about promptware threats impacting generative AI apps. The researchers additionally proposed numerous mitigation methods to keep away from these threats.
Tell us your ideas within the feedback.
Get actual time replace about this put up class instantly in your system, subscribe now.
