A critical vulnerability in Google Gemini for Workspace allows attackers to craft emails containing invisible, malicious instructions. These instructions, hidden using HTML and CSS to render them with zero font size and white color, are not visible to the recipient in their inbox and do not contain traditional phishing indicators like attachments or direct links. This significantly increases the likelihood of the malicious email reaching the target’s inbox undetected by current security filters.
When a recipient asks Gemini to summarize such an email, Google’s AI tool parses the hidden directive and incorporates it into the summary.
An example provided by researcher Marco Figueroa demonstrates Gemini generating a warning about a compromised Gmail password and a fake support phone number. Because users are likely to trust Gemini’s output as part of Google Workspace, they are highly susceptible to believing these generated security alerts are legitimate, making them vulnerable to subsequent phishing attempts.
This “indirect prompt injection” technique has been reported since 2024, yet it remains effective despite implemented safeguards. Figueroa, who disclosed the vulnerability through Mozilla’s 0din bug bounty program, also suggested several mitigation strategies. These include removing or neutralizing hidden content in email bodies and implementing post-processing filters on Gemini’s output to flag urgent messages, URLs, or phone numbers for further review.
Users are also advised to exercise caution and not consider Gemini summaries as authoritative sources for security alerts.
Google, when contacted, referred to a blog post on prompt injection defenses and stated they are continuously hardening their defenses through red-teaming exercises. They also mentioned that some mitigations are currently being implemented or are about to be deployed.
Despite the identified vulnerability and ongoing mitigation efforts, Google has stated that they have not observed any evidence of real-world incidents where Gemini has been manipulated in the manner demonstrated by Figueroa’s report. However, the potential for exploitation remains a significant concern, highlighting the evolving landscape of AI-powered phishing attacks.
Reference:
