Researchers have found a flaw that allows malicious Google Calendar invites to hijack Gemini in order to wreak havoc on a target’s machine.
As reported by Bleeping Computer, a maliciously crafted invite within Google Calendar can remotely take over Gemini agents without any user involvement beyond typical day-to-day interaction with the assistant.
The security researchers at SafeBreach, who demonstrated this attack in a report, were able to send a calendar invite with an embedded prompt injection, hidden in the event title, which permitted them to exfiltrate a variety of user data like email content and Calendar information. They were also able to track the victim’s location, control smart home devices (using Google Home) open apps on Android and trigger Zoom calls.
The researchers made note that the attack did not require white-box model access and was not blocked by Gemini’s protection measures or by prompt filtering. Instead, the attack begins with a malicious Google Calendar event invite sent to the victim which includes an event title containing an indirect prompt injection. The victim then only needs to interact with Gemini as they typically would, such as asking “What are my calendar events today?” in order to cause the AI chatbot to pull a list of events from the Calendar – which will include the malicious event title embedded by the attacker.
This will then becomes part of Gemini’s content window, and the assistant will treat it as part of the conversation as it is unable to realize that the instruction is malicious. Depending on what the instruction is, it could cause lead to a number of different prompts from being executed, causing events in Google Calendar to be edited or removed entirely, opening URLs to retrieve the victim’s IP address, joining a Zoom call, using Google Home to control devices, or accessing emails and leaking user data.
However, it could take up to six calendar invites for this attack to work with the malicious prompt being included only in the last invite. This is because the Calendar events section displays only the five most recent events; the rest fall under the ‘Show more” button. Gemini will parse them all – including the malicious one – when instructed to. Additionally, the victim will not see the malicious event title or realize there has been a compromise unless they expand the events list by clicking “Show more.”
Gemini, Google’s LLM (large language model) assistant, is integrated into Android, Google web services and Google’s Workspace apps so it has access to Gmail, Calendar and Google Home. These attacks are a downside of Google’s broad access and reach, and while its usefulness comes from its ability to reach across tools, this is also proving to be a detriment when it comes to the nature of this attack. Google has already issued a fix and has credited the team of researchers and their efforts.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom's Guide
- Hackers love these 7 smart home devices — here’s how to keep them secure
- Almost 900,000 students and alumni hit in major college data breach — financial-aid info, Social Security numbers and more exposed
- Hackers are abusing this Intel tool to disable Windows 11's built-in antivirus — don't fall for this
