Google’s Gemini AI, integrated into Workspace, has been found to be vulnerable to hidden instructions in emails. Attackers can use this technique to create fake system warnings and mislead users without any links or attachments.
Google’s Gemini AI, integrated into Workspace, has been found to be vulnerable to hidden instructions in emails. Attackers can use this technique to create fake system warnings and mislead users without any links or attachments.
As reported by BleepingComputer, security researcher Marco Figueroa, head of Mozilla’s GenAI Bug Bounty program, demonstrated an attack via Gemini within the 0din bounty platform. It allows you to «infect» emails with invisible instructions that the AI will execute when generating a short message body.
The essence of the method is to use HTML and CSS that hide instructions within the body of the email (for example, setting the font size to zero and the color white). Such content is not visible in Gmail, and the lack of attachments or direct links makes it easy to bypass security filters and deliver the email to the inbox.
After a user opens an email and asks Gemini to generate a summary, the AI reads and executes the hidden instruction. In the example Figueroa gave, Gemini generates a Gmail password leak alert and provides a «support» number that actually leads to the scammers.
This attack is particularly dangerous because users typically trust system notifications in Workspace as verified information from Google. Thus, phishing does not require clickbait or fake websites — only a well-formed email and access to AI functions.
To protect against this type of attack, Figueroa offers several solutions: filtering stylized invisible text in the body of the message, post-processing Gemini responses to detect «alarming content» (numbers, urgent alerts, links, etc.), or flagging such messages for re-checking.
Google, in a statement to BleepingComputer, confirmed that it is aware of the vulnerability and is working on implementing additional protections. Some of them, according to the spokesperson, are «in the process of being implemented or about to be deployed.» Google also noted that it has not yet recorded cases of the use of this technique in real attacks.
The problem with prompt injection for LLM has been known since 2024, but experience shows that even with protective filters, models remain vulnerable to such methods, especially in interfaces where artificial intelligence automatically interacts with the user instead of a human.
We previously wrote about how Google made the Gemini photo-to-video conversion feature, Google AI Ultra subscription, and Flow AI movie creation tool available in Ukraine.
