Google Gemini Prompt Injection Flaw Exfiltrated Private Data via Calendar Invites
Published
Key Takeaways
- Prompt Injection Flaw: A significant vulnerability was discovered in Google Gemini that enabled prompt injection attacks via malicious Google Calendar invites.
- Data Exposure Risk: The flaw allowed attackers to trick the AI model into exfiltrating private user data from their calendars, including event details and personal information.
- Vector of Attack: Attackers embedded malicious instructions within the description of a Google Calendar event, which Gemini would then process as a command.
A serious Google Gemini vulnerability has been discovered, enabling a sophisticated prompt injection flaw that could be triggered via a seemingly innocuous Google Calendar invitation. By embedding malicious commands in the event description, an attacker could instruct the Gemini model to exfiltrate a user's private calendar data.
This method bypasses conventional security measures by tricking the AI into performing unauthorized actions based on the content it processes, highlighting significant AI cybersecurity risks posed by large language models (LLMs) integrated into personal productivity tools.
Mechanism of the Prompt Injection Attack
The attack's execution was straightforward yet highly effective, according to a recent report. An attacker would send a calendar invitation to a target user with hidden instructions placed in the event description.
When the user prompted Gemini to summarize their upcoming events or schedule, the AI would read the malicious description during its data-gathering process. Interpreting the hidden text as a direct command, Gemini could then be manipulated to send the user's private calendar information to an external, attacker-controlled location.
“Attackers can hide intent in otherwise benign language, and rely on the model’s interpretation of language to determine the exploitability,” the report said.
Implications for AI Security and User Trust
As AI models like Gemini become more deeply integrated with personal and enterprise applications, the attack surface expands considerably. Google has since addressed the specific vulnerability.
For users, it emphasizes the need for caution when connecting AI assistants to services containing sensitive personal information, as the lines between data and commands can be easily blurred by threat actors.
A few days ago, TechNadu reported on an Anthropic Claude flaw that exposes Cowork AI to data exfiltration via prompt injection.
December reports outlined a new AI-native vulnerability in Google Gemini Enterprise and Vertex AI that allowed Gmail, Docs, and Calendar data exfiltration. A recent report listed the current top attack vectors as remote access compromise, phishing, social engineering, and rapid exploitation of flaws.
A promptware flaw exposed Google Home devices to Gemini exploits in August 2025. One month earlier, Gemini for Workspace exposed users to advanced phishing attacks. APT41 leveraged Calendar for C2, distributing TOUGHPROGRESS malware in May.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular