Google has been steadily adding new AI features to the mobile Gmail app. Earlier this year, in June, the company rolled out a new feature that used Gemini to show a summarised version of emails or long threads. While the functionality is useful, a newly found security flaw suggests that Gmail’s AI email summaries can be exploited to show harmful instructions and inject links to malicious websites.
According to Mozilla’s GenAI Bug Bounty Programs Manager, Marco Figueroa, a security researcher demonstrated how a prompt injection vulnerability in Google Gemini for Workspace allowed hackers to “hide malicious instructions inside an email”, which were activated when users clicked on the “Summarize this email” option in Gmail.
How does this work?
The process involved threat actors creating an email with invisible instructions for Gemini that were hidden in the body at the end of the message using HTML and CSS by setting the font size to zero and changing the text colour to white.
As there are no attachments in these emails, the message is highly likely to bypass Google’s spam filters and reach the target’s inbox. When the recipient opened their email and asked Gemini to generate a summarised version of the email, the AI tool was found to obey these hidden instructions.
A researcher shows how Gmail’s AI summary feature can be manipulated using invisible HTML and CSS text. (Image Source: Mozilla)
These malicious instructions caused Gmail to show a phishing warning, which looked like it came from Google itself. Since the warning is coming from Gemini itself, many users won’t even think twice about it, which is what makes the exploit very dangerous.
Figueroa also shares some ways in which these injection prompts can be detected and dealt with. One way is that Gemini can either remove or ignore the content hidden in the body text. Alternatively, Google can also use a post-processing filter that scans Gemini’s output for things like urgent messages, phone numbers and URLs and flags them for further review.
When BleepingComputer asked Google about the security exploit and how it plans to prevent such attacks, a company spokesperson said that some mitigations were in place and others were being implemented. The tech giant also said that, as of now, there are no hackers using this trick in real-world attacks, but the research does show that it’s possible to do so.
Story continues below this ad
Google may be very good at finding and fixing such security loopholes, but threat actors are usually known for thinking one step ahead. We suggest users not to blindly trust any AI-generated email summaries and check links and emails before clicking on them.
© IE Online Media Services Pvt Ltd