In a technical analysis by Miggo Security, researchers disclosed a flaw that used indirect prompt injection to bypass Google Gemini authorization and extract private meeting data by creating Google Calendar events.
KEY FACTS
- Vulnerability Indirect prompt injection targeting Google Gemini via calendar invite content
- Attack vector Malicious prompt embedded in a calendar invite description
- Impact Creation of calendar events that contained summaries of private meetings visible to attackers in many enterprise configurations
- Status Fixed following responsible disclosure
The attack begins with a crafted calendar event sent to a target. The invite description embeds a natural language prompt designed to be parsed by the chatbot.
When a user asks Gemini an innocuous question about their schedule the chatbot parses the hidden prompt. The chatbot then summarizes meetings for a given day creates a new calendar event with that summary and returns a harmless reply to the user.
In many enterprise calendar configurations the newly created event was visible to the attacker allowing them to read exfiltrated private meeting data without any direct user interaction.
The issue was addressed after responsible disclosure. The disclosure also highlights that AI native features can broaden the attack surface and introduce new risks when systems are allowed to write to external channels.
WHY IT MATTERS
The report notes that AI applications can be manipulated through the language they are designed to understand which moves some vulnerabilities from code into runtime behavior. Organizations using integrated AI features should review automated write actions and calendar sharing settings to limit similar exposures.