"The starting point of the attack chain is a new calendar event that's crafted by the threat actor and sent to a target. The invite's description embeds a natural language prompt that's designed to do their bidding, resulting in a prompt injection. The attack gets activated when a user asks Gemini a completely innocuous question about their schedule (e.g., Do I have any meetings for Tuesday?), prompting the artificial intelligence (AI) chatbot to parse the specially crafted prompt in the aforementioned event's description to summarize all of users' meetings for a specific day, add this data to a newly created Google Calendar event, and then return a harmless response to the user."
""Behind the scenes, however, Gemini created a new calendar event and wrote a full summary of our target user's private meetings in the event's description," Miggo said. "In many enterprise calendar configurations, the new event was visible to the attacker, allowing them to read the exfiltrated private data without the target user ever taking any action.""
An indirect prompt-injection vulnerability enabled malicious calendar invites to instruct Google Gemini to extract and expose private meeting information. The attack embeds a dormant natural-language prompt in the invite description. When a user queries Gemini about their schedule, Gemini parses the crafted prompt, summarizes the user's meetings for a given day, and writes that summary into a newly created Google Calendar event while returning a harmless response. In many enterprise calendar configurations, the created event was visible to attackers, allowing them to read exfiltrated private data without any direct user interaction. The vulnerability was addressed following responsible disclosure, and the issue highlights expanded AI attack surfaces and new security risks.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]