Hackers are turning Google’s AI tools against users through a deceptive new attack vector. The culprit? Gemini’s email summarization feature, which now serves as an unwitting accomplice to cybercriminals.
These attackers have discovered that by embedding invisible instructions within ordinary-looking emails, they can manipulate Gemini into generating dangerous summaries. Pretty clever, right? Well, not for the victims.
Hackers hijack Gemini with hidden commands, turning Google’s helpful AI into an unwitting accomplice for their deceptive schemes.
The attack operates through what experts call “indirect prompt injection.” Hackers hide their malicious directives using zero-sized fonts or white-on-white text in email HTML—stuff no human would notice. But Gemini sees it all. The AI faithfully processes these hidden commands and spits out summaries containing whatever warnings or alerts the attacker specified. No attachments needed. No suspicious links. Just pure psychological manipulation.
These weaponized summaries often masquerade as urgent security notices. “Your account has been compromised! Call this number immediately!” Sound familiar? The twist is that the original email shows nothing suspicious, making traditional security filters useless. Users trust these summaries because, hey, they came from Google’s AI, not some random phishing attempt.
The technical side is almost elegant. Certain HTML elements get treated as priority instructions by Gemini. The AI doesn’t discriminate between visible text and the invisible garbage hidden in the email’s code. It just follows orders. Like an obedient digital puppy with no sense of danger.
This vulnerability has persisted despite Google’s attempts at fixing it. Security researchers keep finding new ways to sneak past defenses. Google is actively conducting red team exercises to identify and patch these vulnerabilities before they cause widespread damage. The problem isn’t going away.
Organizations with widespread AI summarization features face the highest risk. Traditional security measures don’t catch these attacks because there’s nothing technically malicious to detect. It’s just text telling an AI what to say.
The defense? AI systems must learn to ignore hidden text. This attack was first uncovered by security researcher Marco Figueroa who demonstrated its effectiveness. But until then, maybe think twice before trusting that helpful little summary. Your AI assistant might be speaking with someone else’s voice.
References
- https://nationalcioreview.com/articles-insights/extra-bytes/invisible-ai-prompt-threats-undermining-gmail-security/
- https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-email-summaries-for-phishing/
- https://0din.ai/blog/phishing-for-gemini
- https://www.techradar.com/pro/security/google-gemini-can-be-hijacked-to-display-fake-email-summaries-in-phishing-scams
- https://www.bankinfosecurity.com/summarizing-emails-gemini-beware-prompt-injection-risk-a-28955
