Google fixed a bug that allowed maliciously crafted Google Calendar invites to remotely take over Gemini agents running on the target's device and leak sensitive user data.
The attack unfolded without requiring any user involvement beyond typical interactions with the assistant, which occur daily for users of Gemini.
Gemini is Google's large language model (LLM) assistant integrated into Android, Google web services, and Google's Workspace apps, having access to Gmail, Calendar, and Google Home.
By sending a calendar invite with an embedded prompt injection, often hidden in the event title, attackers can potentially exfiltrate email content and Calendar information, track victim location, control smart home devices via Google Home, open apps on Android, and trigger Zoom video calls.
The attack was demonstrated in a report by SafeBreach researchers, who noted that it does not require white-box model access and was not blocked by prompt filtering or other protection measures in Gemini.
You've got an invite
The attack started with a Google Calendar event invite sent to the target, with the event title containing an indirect prompt injection.
Once the victim interacts with Gemini, like asking "What are my calendar events today," Gemini pulls the list of events from Calendar, including the malicious event title the attacker embedded.
This becomes part of Gemini's context window, and the assistant treats it as part of the conversation, unable to realize the instruction is hostile to the user.
Depending on the prompt the attacker uses, they may trigger tools or agents to perform Calendar event wiping or editing, open a URL to retrieve the target's IP address, join a Zoom call, use Google Home to control physical devices, or access emails and extract sensitive user data.
... continue reading