- Researchers Discover Gemini AI Prompt Injection via Google Calendar Invites
- Attackers could exfiltrate private meeting data with minimal user interaction
- The vulnerability has been mitigated, reducing immediate risk of exploitation
Security researchers have discovered another way to launch rapid injection attacks on Google’s Gemini AI, this time to exfiltrate sensitive data from Google Calendar.
Prompt injection is a type of attack in which the malicious actor hides a prompt in an otherwise innocuous message. When the victim asks its AI to analyze the message (or use it as data in its work), the AI ends up carrying out the prompt and carrying out the actor’s commands.
At its core, fast injection is possible because AIs cannot distinguish between the instruction and the data used to execute that instruction.
Abusing Gemini and the calendar
Until now, rapid injection attacks have been limited to email messages and instructions for summarizing or reading emails. In the latest research, Miggo Security said that the same can be done through Google Calendar.
When someone creates a calendar entry, they can invite other participants by adding their email address. In this scenario, a malicious actor can create a calendar entry containing the malicious prompt (to exfiltrate calendar data) and prompt the victim. The invitation is then sent as an email, containing the prompts. The next step is for the victim to ask their AI to check for upcoming events.
The AI will parse the prompt, create a new calendar event with the details and add the attacker, directly granting them access to sensitive information.
“This bypass allowed unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction,” the researchers told The Hacker News.
“However, behind the scenes, Gemini created a new calendar event and wrote a full summary of our target user’s private meetings into the event description,” Miggo said. “In many enterprise calendar setups, the new event was visible to the attacker, allowing them to read the exfiltrated private data without the target user taking any action. »
The problem has since been alleviated, Miggo confirmed.
Via TheHackerNews
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.