Rita El Khoury / Android Authority
TL;DR
- Researchers found a way to hide malicious instructions within a normal Google Calendar invite that Gemini can unknowingly execute.
- When users asked Gemini about their schedule, it could be tricked into summarizing their private meetings and leaking that data into a new event.
- Google was duly notified and has added new protections, but the issue highlights how AI features can be abused through natural language.
Google recently made Gemini a lot more useful by letting it work across multiple Calendars, not just your primary one. You can now ask about events or create new meetings across secondary calendars using natural language. But just as that update rolled out, security researchers shared a worrying new finding about how Gemini can be exploited to access someone’s private and confidential Calendar information.
Don’t want to miss the best from Android Authority?
Researchers at Miggo Security (via BleepingComputer) discovered a way to abuse Gemini’s deep integration with Google Calendar to access private calendar data using nothing more than a calendar invite.
How does it work?
Rita El Khoury / Android Authority
The exploit doesn’t rely on malware or suspicious links. Instead, it hides within a Calendar invite in plain sight. An attacker sends a calendar invite with carefully written text in the event description. It looks harmless to a user, but Gemini treats it as a natural-language prompt. Nothing happens right away, and the invite just sits on the user’s calendar.
The problem starts later. If the user asks Gemini something simple like, “Am I free on Saturday?”, Gemini scans all calendar events to answer the question, including the malicious one. That’s when the hidden instructions kick in.
In Miggo’s test, Gemini summarized the user’s meetings for a specific day, created a new calendar event, and quietly pasted that private meeting summary into the event’s description. Gemini then replied to the user with a perfectly harmless message, such as “it’s a free time slot.”
So what happens is that the newly created event containing all of the users’ private meeting details becomes visible to the attacker, without the user ever realizing their data has been compromised.
According to the researchers, the attack works because the instructions appear to be regular language commands, not malicious code. That makes them hard for traditional security systems to detect.
Google has now added new protections to block this type of attack.
Miggo says it responsibly disclosed the issue to Google, and the company has since added new protections to block this type of attack. However, this isn’t the first time security researchers have used a prompt-injection attack via Google Calendar invites. Researchers at SafeBreach previously demonstrated how a poisoned calendar invite could hijack Gemini and help control smart home devices.
Speaking to BleepingComputer, Miggo’s head of research, Liad Eliyahu, said the latest attack method shows how Gemini’s reasoning abilities can still be manipulated to bypass active security warnings, despite the security modifications Google made after the SafeBreach attack.
Thank you for being part of our community. Read our Comment Policy before posting.
