Security researchers have uncovered a significant vulnerability in Google Gemini for Workspace that enables threat actors to embed hidden malicious instructions within emails. The attack exploits the AI assistant’s “Summarize this email” feature to display fabricated security warnings that appear to originate from Google itself, potentially leading to credential theft and social engineering attacks. When victims click Gemini’s “Summarize this email” feature, the AI assistant processes the hidden directive as a legitimate system command and faithfully reproduces the attacker’s fabricated security alert in its summary output. Security teams are advised to implement several defensive measures, including inbound HTML linting to strip invisible styling, LLM firewall configurations, and post-processing filters that scan Gemini output for suspicious content. This vulnerability underscores the emerging reality that AI assistants represent a new component of the attack surface, requiring security teams to instrument, sandbox, and carefully monitor their outputs as potential threat vectors. A proof-of-concept example demonstrates how attackers can insert invisible spans containing admin-style instructions that direct Gemini to append urgent security warnings to email summaries. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Security experts classify this attack under the 0DIN taxonomy as “Stratagems → Meta-Prompting → Deceptive Formatting” with a moderate social-impact score. The vulnerability represents a form of indirect prompt injection (IPI), where external content supplied to the AI model contains hidden instructions that become part of the effective prompt. Security researchers warn that compromised SaaS accounts could transform into “thousands of phishing beacons” through automated newsletters, CRM systems, and ticketing emails. For AI providers like Google, recommended mitigations include HTML sanitization at ingestion, improved context attribution to separate AI-generated text from source material, and enhanced explainability features that reveal hidden prompts to users. Unlike traditional phishing attempts, this attack requires no links, attachments, or external scripts, only specially formatted text hidden within the email body. This creates a significant cross-product attack surface where any workflow involving third-party content processed by Gemini could become a potential injection vector. The attack leverages a prompt-injection technique that manipulates Gemini’s AI processing capabilities through crafted HTML and CSS code embedded within email messages. Attackers embed instructions within <Admin> tags while using CSS styling such as white-on-white text or zero font size to make the content invisible to recipients. The vulnerability extends beyond Gmail to potentially affect Gemini integration across Google Workspace, including Docs, Slides, and Drive search functionality. The technique also raises concerns about future “AI worms” that could self-replicate across email systems, escalating from individual phishing attempts to autonomous propagation.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 14 Jul 2025 02:20:20 +0000