The Gemini injection in Gmail is unsafe to accelerate injection-based fishing attacks, a researcher performed. According to the researcher, Artificial Intelligence (AI) Chatbott that offers features such as email summary generation and email rewriting can be manipulated to display users. This vulnerability pursues a significant risk, as the attackers can potentially take advantage of it to operate online scams. Meanwhile, the Mountain view-based tech veteran allegedly stated that it has not yet seen this manipulation technique used against users.
The researcher claims that Gemini is insecure to accelerate injections in Gmail
Was vulnerable Spibled and performed By researcher Marco Figuero, Jenai Bug Bounty Program Manager at Mozilla, AI Tools through Bag Bunty Program of Mozilla, through 0 dein. Interestingly, to trigger this vulnerability, the scammer does not need to pull any high-profile cyber heirs. Instead, it can be done with a simple text command, which is known as early injections.
Prompt injection is a type of attack on AI chatbots where an attacker deliberately manipulates input or promises to behave the model in an unexpected or malicious manner. In this particular scenario, the researcher used indirect early injections, where malicious signs are embedded inside a document, email or a web page.
According to the researcher, he just wrote a long email and finally added some hidden text, including early injections. There was no URL or Attachment in the email, making it easier to reach the receiver’s primary inbox.
Adding a hidden malicious message to the email
Photo Credit: 0DIN/Marco Figueroa
As shown in the image, the attacker used a white color font on a white page to write malicious messages. This lesson is generally invisible to the receiver of email. Other methods of connecting hidden text include using a zero font size, off-screen text placement and other HTML or CSS tricks.
Now, if the receiver uses Gemini’s “email” facility, the chatbot will process the hidden text and take the command, without finding the user ever detecting, Figuro said. He also said that the chances of chatbot increase after the command if the message is wrapped inside a administrator tag, as it considers high-primary request.
Gemini repeats malicious messages in Verbatim Summary
Photo Credit: 0DIN/Marco Figueroa
The cyber security researcher showed in another screenshot that Mithun gave a really malicious message and displayed it as part of his email summary. Since the message is now coming from Gemini, rather than an email from a potential stranger, the victim may be more likely to believe and follow instructions, falling for the scam.
BlappingCopper Contacted For Google to ask about vulnerability, and a spokesperson said the company has not seen any evidence of similar manipulation so far. Additionally, it was also revealed that Google is in the process of implementing some mitigations to quick injection-based adverse attacks.
