New Kind of AI-Driven Threat
Security researcher Marco Figueroa has uncovered a novel prompt injection vulnerability affecting Google Gemini within Workspace. The exploit allows attackers to manipulate email summaries generated by the AI, tricking users into trusting fabricated security warnings—without using links, attachments, or visible malware.
The attack was disclosed through Mozilla’s 0din bug bounty program, which focuses on generative AI security.
How the Gemini Exploit Works
Crafting the malicious email
Source: 0DIN
Hidden in Plain Sight
The attack exploits invisible directives embedded in email content using HTML/CSS. Here’s how it works:
- An attacker crafts an email with hidden instructions using white text on a white background and font size set to zero.
- These instructions are not visible to the human reader in Gmail.
- However, Google Gemini reads and executes the hidden text when summarizing the message.
One demonstration shows Gemini falsely alerting a user that their Gmail password has been compromised, and providing a fake support phone number.
Gemini summary result served to the user
Source: 0DIN