For workpace, Google Gemini can be exploited to generate email summary that appears valid, but malicious instructions or warnings that direct users to the fishing sites without using attachments or direct links.
Such an attack indirectly has the advantage of early injections that are hidden inside an email and are followed by Gemini when generating the message summary.
Since 2024, safety measures are being implemented to block and block misleading reactions since 2024, technology remains successful.
Attack through Gemini
There was a quick-in-injection attack on Google’s Gemini model Revealed through 0DINMosilla’s Bug Bounty Program for Generic AI Tools by researcher Marco Figuero, Jenai Bug Bounty Program Manager at Mozilla.
The process involves creating an email with an invisible instruction for Gemini. An attacker can hide malicious instructions in the body’s text at the end of the message using HTML and CSS that sets the font shape to zero and its color to white.
Source: 0DIN
Malibly instructions will not be provided in Gmail, and because there are no attachment or links exist, the message is highly likely to reach the inbox of the potential target.
If the recipient opens the email and asks Gemini to create a summary of email, the AI tool of Google will pars and follow the invisible instructions.
An example provided by Figueroa shows Gemini after hidden instructions and includes a safety warning about the user’s Gmail password, as well as being compromised with a support phone number.
Source: 0DIN
As many users are likely to rely on the output of Gemini as part of the Google Westerman’s Workability, this warning is considered a valid warning rather than a malicious injection.
Figueroa offers some detection and mitigation methods that can apply security teams to prevent such attacks. One way is to remove, ineffective or ignore the material hidden in the body text.
Another approach is to apply a post-processing filter that scans the Gemini output for the immediate message, URL, or phone number, flagging the message for further review.
Users should also know that Gemini summary should not be considered official when it comes to safety alert.
Bleepingcomputer has approached Google to ask about such attacks preventing or decreasing rescue, and a spokesman directed us to Google blog post On security measures against early injection attacks.
A Google spokesperson told Bleepingcomputer, “We are already harshery of strong rescue through red-teaming exercises, who train our models to protect them from such adverse attacks.”
The representative of the company clarified the bleepingcomputer that some mitigations are in the process of implementing or deployed.
The spokesperson said that Google has not seen any evidence of the incidents of manipulation in Gemini in the way Figaro report.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
