- Researchers Discover Rapid Injection of Gemini AI Through Google Calendar Invitations
- Attackers could leak private meeting data with minimal user interaction
- The vulnerability has been mitigated, reducing the risk of immediate exploitation.
Security researchers have found another way to run rapid injection attacks on Google’s Gemini AI, this time to leak sensitive data from Google Calendar.
Notice injection is a type of attack in which the malicious actor hides a notice in an otherwise benign message. When the victim tells their AI to analyze the message (or use it as data in their work), the AI ends up executing the message and carrying out the actor’s orders.
In essence, fast injection is possible because AIs cannot distinguish between the instruction and the data used to execute that instruction.
Abuse Gemini and Calendar
Until now, fast injection attacks were limited to email messages and the instruction to summarize or read emails. In the latest investigation, Miggo Security said that the same can be done through Google Calendar.
When a person creates a calendar entry, they can invite other participants by adding their email address. In this scenario, a threat actor can create a calendar entry containing the malicious message (to extract calendar data) and invite the victim. The invitation is then sent in the form of an email and contains the instructions. The next step is for the victim to tell their AI to check for upcoming events.
The AI will analyze the message, create a new calendar event with the details, and add the attacker, directly granting them access to sensitive information.
“This bypass allowed unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction,” the researchers told The Hacker News.
“However, behind the scenes, Gemini created a new calendar event and wrote a complete summary of our target user’s private meetings in the event description,” Miggo said. “In many enterprise calendar configurations, the new event was visible to the attacker, allowing him to read the exfiltrated private data without the targeted user taking any action.”
The problem has since been mitigated, Miggo confirmed.
Through TheHackerNews
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
