132
A critical security vulnerability in Google Calendar was recently discovered by researchers, putting users at risk of data leakage. The flaw allowed attackers to exploit Gemini agents through malicious calendar invites. Google swiftly addressed the issue after it was reported, ensuring the safety of users.
Security Flaw in Google Calendar Enables Data Leakage
SafeBreach researchers uncovered a significant security flaw in Google Calendar that posed a threat to user security. In a detailed blog post, they explained how the vulnerability could be leveraged by attackers to take control of Gemini agents on a target device using specially crafted calendar invites. This unauthorized access could potentially expose sensitive information through Gemini without requiring any user interaction.
The attack scenario involves sending a malicious calendar invite to the target user, embedding the malicious prompt within the event title. When the target user queries Gemini about the calendar invites, the malicious prompt gets executed, allowing the attacker to perform various nefarious actions without the user’s knowledge.
These actions could include manipulating calendar events, extracting the user’s IP address through a URL, or interacting with other applications like Google Home, Messages, Phone, or Zoom, enabling activities such as joining calls or retrieving data without user consent.
A diagram illustrating the attack flow is provided below:
Source: SafeBreach
The researchers demonstrated a technique called “context poisoning,” where the LLM (Large Language Model) is manipulated to consider the entire conversation history one query at a time. By injecting a malicious instruction into a long conversation, the model could be tricked into executing unauthorized activities. The attacks showcased included spamming, generating harmful content, invoking tools and apps, visiting URLs, and exfiltrating data.
Google’s Mitigation Measures
Upon receiving the researchers’ report, Google took swift action and implemented mitigation strategies to prevent promptware attacks. In a blog post published in June 2025, Google outlined the enhancements made to the latest Gemini models (v2.5 and above) to defend against promptware attacks. These measures include:
- Prompt injection content classifiers: Analyzing instructions to avoid responding to malicious prompts.
- Security thought reinforcement: Focusing on the task at hand and ignoring malicious instructions.
- Markdown sanitization and suspicious URL redaction: Removing external URLs from output upon detecting malicious links.
- User confirmation framework: Seeking user confirmation for suspicious actions before execution.
- End-user security mitigation notifications: Notifying users of potentially malicious activities detected by Gemini.
Rise of Promptware Threats
The findings from SafeBreach underscore the growing threat of promptware in the cybersecurity landscape, impacting not just Gemini but a wide range of AI applications. As AI technologies become more prevalent, the need for timely mitigation of promptware threats becomes increasingly critical.
While SafeBreach’s research sheds light on this issue, it is worth noting that similar concerns were raised by a research team in 2024 regarding promptware threats affecting generative AI applications. The researchers also proposed various strategies to mitigate these risks.
We welcome your thoughts and comments on this topic.
Stay updated on this post category in real-time on your device. Subscribe now.
