A newly discovered vulnerability in Google Gemini for Workspace has raised concerns over potential phishing attacks, as a researcher disclosed a method to manipulate email summaries without attachments or direct links.
The vulnerability, disclosed by researcher Marco Figueroa via Mozilla’s 0din bug bounty program, involves leveraging indirect prompt injections hidden in emails. Attackers can embed malicious instructions in email body text using HTML and CSS to render them invisible. When a recipient asks Gemini to summarize the email, the AI parses and obeys the hidden directive. This allows attackers to potentially trick users into divulging sensitive information or performing certain actions.
An example demonstrated by Figueroa showed Gemini generating a fake security warning about a compromised Gmail password, including a support phone number, posing as a legitimate alert. This highlights the potential severity of the vulnerability, as users may be deceived into believing the warning is genuine.
In response to the disclosure, Google stated that they are “hardening defenses and implementing mitigations.” However, they have seen no evidence of this attack being used in the wild. Figueroa suggests that security teams should consider removing or neutralizing hidden content and implementing post-processing filters on Gemini output to mitigate the risk.
Users are advised not to consider Gemini summaries authoritative for security alerts. This precaution is crucial in preventing potential phishing attacks that could arise from the vulnerability. By being cautious and verifying the authenticity of security alerts, users can reduce the risk of falling victim to such attacks.
