Cyber: Gemini AI Assistant Tricked Into Leaking Google Calendar Data

Using only natural language instructions, researchers were able to bypass Google Gemini's defenses against malicious prompt injection and create misleading events to leak private Calendar data.

Sensitive data could be exfiltrated this way, delivered to an attacker inside the description of a Calendar event.

Gemini is Google’s large language model (LLM) assistant, integrated across multiple Google web services and Workspace apps, including Gmail and Calendar. It can summarize and draft emails, answer questions, or manage events.

The recently discovered Gemini-based Calendar invite attack starts by sending the target an invite to an event with a description crafted as a prompt-injection payload.

To trigger the exfiltration activity, the victim would only have to ask Gemini about their schedule. This would cause Google's assistant to load and parse all relevant events, including the one with the attacker's payload.

Researchers at Miggo Security, an Application Detection & Response (ADR) platform, found that they could trick Gemini into leaking Calendar data by passing the assistant natural language instructions:

"Because Gemini automatically ingests and interprets event data to be helpful, an attacker who can influence event fields can plant natural language instructions that the model may later execute," the researchers explain.

By controlling the description field of an event, they discovered that they could plant a prompt that Google Gemini would obey, although it had a harmful outcome.

Once the attacker sent the malicious invite, the payload would be dormant until the victim asked Gemini a routine question about their schedule.

When Gemini executes the embedded instructions in the malicious Calendar invite, it creates a new event and writes the private meeting summary in its description.

Source: BleepingComputer