Google’s Gemini AI Model for Workspace Exposes Users to Advanced Phishing Attacks

• A Google Gemini for Workspace prompt-injection vulnerability that allows for hidden prompts.
• Attackers use a known technique – zero font size and white text to hide content from users in Gmail.
• The issue lies in the “Summarize this email” function, which executes the malicious prompts, making them seem legitimate.

A newly disclosed prompt-injection vulnerability in Google’s Gemini AI model for Workspace enables attackers to hijack email summaries by embedding malicious instructions within hidden portions of email content.

Attackers can embed malicious commands in email content using HTML and CSS. These commands are styled with zero font size and white text, rendering them invisible to users in Gmail. 

This innovative tactic exploits AI features designed to enhance productivity. Once a recipient asks Gemini to summarize the email, the AI unknowingly parses and executes the hidden instructions, as detailed in a report published via 0din, the Mozilla bounty program report.

An example provided by researchers shows Gemini producing a seemingly authentic warning about a Gmail password breach, accompanied by fake recovery instructions.

Attackers can direct Gemini to generate a security alert, claiming a compromised account and providing a fraudulent support phone number. Since the summary appears to be a legitimate output from Gemini, the likelihood of users trusting the notification increases significantly.  

Unlike traditional phishing methods that rely on questionable links or suspicious attachments, this technique bypasses conventional detection mechanisms, making it more likely for malicious emails to evade spam filters and security gateways.  

This attack method plays on users’ trust in AI-driven tools, positioning Gemini’s summaries as authoritative. Victims are more likely to engage with the instructions, thus falling prey to phishing attempts without suspecting the legitimacy of the email.