Vulnerability in Google Gemini apps discovered: injection attacks identified by security experts
In a groundbreaking discovery, a trio of researchers - Ban Nassi, Stav Cohen, and Or Yair - have unveiled a significant prompt injection vulnerability in Google's Gemini AI assistant. This newly discovered attack method, dubbed the "Invitation Is All You Need," targets Google's AI-powered applications, exploiting the vulnerability by embedding malicious prompts in Google Calendar invites and similar shared resources like emails or document titles [1][3].
When Gemini processes these calendar events or other inputs, it can be tricked into executing harmful actions such as generating offensive content, opening smart home devices, or performing other unauthorized activities - all remotely and without the user's knowledge [3][4].
This attack falls under a broader category called Targeted Promptware Attacks, where indirect prompt injections manipulate the AI’s contextual awareness. By sending malicious calendar invites with concealed instructions, the researchers demonstrated how they could hijack Gemini’s application context and invoke its integrated agents with the attacker’s commands [3][4].
Key aspects of this vulnerability include:
- It exploits Gemini’s handling of shared resources by embedding hidden instructions within them.
- The attacker’s injected prompts can cause both short-term, one-time malicious actions and long-term poisoning of Gemini’s memory to persistently influence behaviour across sessions.
- Demonstrated real-world malicious effects include opening smart windows, activating boilers, launching video calls, recording the victim, and manipulating their environment [3][4].
- The attack requires no visible signs of the injection to the user, making it stealthy.
- The research has raised awareness of this emerging class of AI prompt injection attacks targeting Google Workspace’s Gemini integrations and stresses the importance of treating AI assistants as part of the attack surface [3][4].
Google has acknowledged the indirect prompt injection vulnerabilities in Gemini and has implemented a layered defense strategy involving content classifiers, markdown sanitization, suspicious URL redaction, and user confirmation frameworks to mitigate these risks in Workspace apps [5].
For more detailed information, you can review:
- The SafeBreach Labs blog post "Invitation Is All You Need: Hacking Gemini" for an in-depth explanation and technical details of the attack methodology and impact [4].
- The original research paper and related security studies by Ben Nassi, Stav Cohen, and Or Yair describing the Targeted Promptware attacks on Gemini AI [3].
- Google's own documentation on their defense strategy against indirect prompt injections in Gemini and Workspace environments [5].
- Security news articles covering the demonstration and implications of these vulnerabilities in Gemini-powered applications [1][3].
This vulnerability underscores the ongoing challenges in securing AI assistants embedded in productivity and communication tools against sophisticated prompt injection threats. As we move into the "agentic AI" era, where large language models can issue their own commands to external tools, the vulnerability brings with it considerably more risk [2].
The discovery of the "Invitation Is All You Need" vulnerability in Google's Gemini AI assistant, a Targeted Promptware Attack, highlights the need for enhanced cybersecurity in data-and-cloud-computing technologies, particularly in AI-powered applications. The attack, which exploits shared resources like calendar invites and emails, can cause harmful actions remotely without the user's knowledge, including opening smart home devices and manipulating the environment [3][4].
To address this issue, technology companies must implement strong security measures, such as content classifiers, markdown sanitization, and user confirmation frameworks, to protect against indirect prompt injection vulnerabilities [5]. As AI advancements continue towards the "agentic AI" era, where large language models can issue their own commands to external tools, the significance of data security in this context becomes increasingly important [2].
