A prompt-injection vulnerability in Google Gemini for Workspace was disclosed, enabling the generation of seemingly legitimate email summaries that can direct users to phishing sites via hidden instructions. This method circumvents traditional detection by avoiding attachments or direct links.
This attack vector utilizes indirect prompt injections embedded within an email, which Gemini’s summary generation process then obeys. Despite similar prompt injection attacks being reported since 2024 and Google’s implementation of safeguards designed to block misleading responses, this specific technique has demonstrated continued success. The vulnerability was publicly revealed through 0din, Mozilla’s bug bounty program dedicated to generative AI tools. Marco Figueroa, GenAI Bug Bounty Programs Manager at Mozilla, was responsible for the disclosure.
The attack mechanism involves crafting an email that contains an invisible directive specifically intended for Gemini. An attacker can conceal this malicious instruction within the email’s body text by applying HTML and CSS styling that sets the font size to zero and the font color to white. This renders the instruction imperceptible to the human eye when the email is viewed in Gmail. Crucially, because the email contains neither attachments nor direct links, it is highly probable that such a message will successfully bypass email security filters and reach the intended recipient’s inbox without being flagged.
Google simplifies Lens to make room for its Gemini AI
Should a recipient open this email and subsequently use Google Gemini to generate a summary of its content, Google’s AI tool will process the hidden, invisible directive. Consequently, Gemini will then obey this concealed instruction as part of its summary generation. Figueroa provided an example demonstrating this exploit: Gemini followed the embedded instruction and produced a security warning for the user, falsely stating that their Gmail password had been compromised, and included a fabricated support phone number. Given that many users are likely to place trust in Gemini’s output as an integral function of Google Workspace, there is a high probability that this generated alert would be perceived as a legitimate security warning rather than a malicious injection, potentially leading users to contact the fraudulent number.
In response to this vulnerability, Figueroa has outlined several detection and mitigation strategies that security teams can implement. One recommended approach involves developing systems to remove, neutralize, or entirely disregard content within the email body that is styled to be hidden. An alternative method proposed is to employ a post-processing filter that actively scans Gemini’s generated output for specific indicators, such as urgent messages, unrecognized URLs, or suspicious phone numbers. Such a filter would then flag the summary for further review, preventing potentially malicious instructions from reaching the user unchallenged. Additionally, users are advised to exercise caution and should not consider Gemini summaries as authoritative sources for security alerts.
BleepingComputer contacted Google for information regarding defenses against such attacks. A Google spokesperson directed BleepingComputer to a Google blog post detailing security measures against prompt injection attacks. The spokesperson stated, “We are constantly hardening our already robust defenses through red-teaming exercises that train our models to defend against these types of adversarial attacks.” The company representative further clarified that some of these mitigations are currently in the process of being implemented or are scheduled for deployment soon. Google has reported no evidence of incidents manipulating Gemini in the manner demonstrated in Figueroa’s report.
Featured image credit
FAQs
Frequently Asked Questions
What is a Premium Domain Name? A premium domain name is the digital equivalent of prime real estate. It’s a short, catchy, and highly desirable web address that can significantly boost your brand's impact. These exclusive domains are already owned but available for purchase, offering you a shortcut to a powerful online presence. Why Choose a Premium Domain? Instant Brand Boost: Premium domains are like instant credibility boosters. They command attention, inspire trust, and make your business look established from day one. Memorable and Magnetic: Short, sweet, and unforgettable - these domains stick in people's minds. This means more visitors, better recall, and ultimately, more business. Outshine the Competition: In a crowded digital world, a premium domain is your secret weapon. Stand out, get noticed, and leave a lasting impression. Smart Investment: Premium domains often appreciate in value, just like a well-chosen piece of property. Own a piece of the digital world that could pay dividends. What Sets Premium Domains Apart? Unlike ordinary domain names, premium domains are carefully crafted to be exceptional. They are shorter, more memorable, and often include valuable keywords. Plus, they often come with a built-in advantage: established online presence and search engine visibility. How Much Does a Premium Domain Cost? The price tag for a premium domain depends on its desirability. While they cost more than standard domains, the investment can be game-changing. Think of it as an upfront cost for a long-term return. BrandBucket offers transparent pricing, so you know exactly what you're getting. Premium Domains: Worth the Investment? Absolutely! A premium domain is more than just a website address; it's a strategic asset. By choosing the right premium domain, you're investing in your brand's future and setting yourself up for long-term success. What Are the Costs Associated with a Premium Domain? While the initial purchase price of a premium domain is typically higher than a standard domain, the annual renewal fees are usually the same. Additionally, you may incur transfer fees if you decide to sell or move the domain to a different registrar. Can I Negotiate the Price of a Premium Domain?
In some cases, it may be possible to negotiate the price of a premium domain. However, the success of negotiations depends on factors such as the domain's demand, the seller's willingness to negotiate, and the overall market conditions. At BrandBucket, we offer transparent, upfront pricing, but if you see a name that you like and wish to discuss price, please reach out to our sales team.
How Do I Transfer a Premium Domain?
Transferring a premium domain involves a few steps, including unlocking the domain, obtaining an authorization code from the current registrar, and initiating the transfer with the new registrar. Many domain name marketplaces, including BrandBucket, offer assistance with the transfer process.
