A significant prompt injection vulnerability has been identified in Google’s Gemini applications, permitting severe attacks such as unwanted video streaming, email exfiltration, and control over smart home systems. The vulnerability is exploited through Google Calendar invitations or emails, leading to outcomes like generating toxic content, spamming users, and modifying calendar events. This attack, named 'Invitation is All You Need', reveals that adversarial attacks against AI systems are not only complex but also practically achievable with minimal input through Google’s Workspace architecture, which struggles to differentiate specific inputs effectively.
You used to believe that adversarial attacks against AI-powered systems are complex, impractical, and too academic. In reality, an indirect prompt injection in a Google invitation is all you need to exploit Gemini for Workspace's agentic architecture.
The attack, dubbed 'Invitation is All You Need,' allows for outcomes such as toxic content generation, spamming, deleting events from the user's calendar, and even taking over the target's smart home systems.
The same approach was previously used to convince LLM-powered summary systems to review research papers favourably, force SQLite Model Context Protocol servers to leak customer data, and improve the odds of being hired.
Earlier prompt injection vulnerabilities stem from large language models' inability to distinguish between inputs, making protections against these attacks easily circumvented.
Collection
[
|
...
]