Cybersecurity researchers have uncovered a critical security flaw in Google Gemini that exploits indirect prompt injection via malicious calendar invites. By embedding natural language prompts within the description of a standard calendar event, attackers can trick the AI chatbot into bypassing privacy controls. This technique allows for the unauthorized extraction of private meeting data without any direct interaction from the target user beyond a routine query about their schedule.
The attack is activated when a user asks Gemini a harmless question regarding their meetings. Behind the scenes, the AI parses the hidden malicious prompt, summarizes the user's private data, and writes it into a new calendar event that is often visible to the attacker. This process effectively turns the chatbot into a tool for data exfiltration, highlighting a shift in vulnerabilities from traditional code to the semantic behavior of Large Language Models (LLMs).
This disclosure follows a series of similar findings across other AI-native platforms, including Microsoft Copilot and various agentic IDEs like Cursor. As organizations increasingly integrate AI agents to automate workflows, these vulnerabilities underscore the urgent need for continuous security auditing and human oversight to prevent unauthorized code injection and privilege escalation within AI workloads.
Top comments (0)