A vulnerability in Google’s AI assistant Gemini allowed attackers to leak a sufferer’s non-public conferences through Google Calendar occasions, cybersecurity agency Miggo experiences.
The assault concerned making a malicious calendar occasion and sending an invitation to the focused consumer.
Utilizing a payload within the Calendar occasion’s description, the oblique immediate injection assault bypassed Calendar’s privateness controls to entry assembly knowledge and create misleading occasions with out consumer interplay.
The assault, Miggo explains, abused Calendar’s integration with Gemini, the place the AI features as an assistant, parsing all occasion knowledge, together with titles, instances, attendees, and descriptions.
“As a result of Gemini mechanically ingests and interprets occasion knowledge to be useful, an attacker who can affect occasion fields can plant pure language directions that the mannequin might later execute,” Miggo notes.
The cybersecurity agency found it was potential to create a calendar description that may instruct Gemini to summarize a sufferer’s conferences, together with non-public ones, write the information within the description of a brand new calendar occasion, and ship a innocent response to the consumer, to cover the malicious actions.Commercial. Scroll to proceed studying.
“The payload was syntactically innocuous, that means it was believable as a consumer request. Nonetheless, it was semantically dangerous when executed with the mannequin device’s permissions,” Miggo notes.
The payload was triggered when the consumer requested Gemini a query about their schedule, and resulted within the AI creating a brand new calendar occasion containing the consumer’s knowledge within the description. The brand new calendar occasion with the sufferer’s non-public assembly knowledge was accessible to the attacker, Miggo says.
Because the cybersecurity agency notes, the assault was profitable as a result of it relied on seemingly innocuous directions that any consumer would possibly give to Gemini. The context and intent made it malicious and harmful.
“This shift reveals how easy pattern-based defenses are insufficient. Attackers can cover intent in in any other case benign language and depend on the mannequin’s interpretation of language to find out the exploitability,” Miggo notes.
The cybersecurity agency reported the findings to Google, which confirmed the vulnerability and addressed it.
Associated: Vibe Coding Examined: AI Brokers Nail SQLi however Fail Miserably on Safety Controls
Associated: New ‘Reprompt’ Assault Silently Siphons Microsoft Copilot Information
Associated: ‘ZombieAgent’ Assault Let Researchers Take Over ChatGPT
Associated: Google Patches Gemini Enterprise Vulnerability Exposing Company Information
