Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

Google Gemini Tricked Into Showing Phishing Message Hidden in Email 

Google Gemini for Workspace can be tricked into displaying a phishing message when asked to summarize an email.

AI hack

A researcher has found that Google Gemini for Workspace is affected by a prompt injection vulnerability that can be exploited to trick the AI assistant into displaying a phishing message.

The weakness was found by Marco Figueroa and reported through Mozilla’s 0Din bug bounty program, which focuses on gen-AI vulnerabilities.

The researcher’s hack involves sending the targeted user an email that, in addition to a benign lure text, contains a phishing message that is written with white font on a white background, making it invisible to the target. 

This phishing message, which needs to be wrapped inside <admin> tags, instructs Gemini to include the message at the end of its response.

When the target uses Gemini’s ‘summarize this email’ functionality to get a summary of the attacker’s email, in addition to a summary of the text visible to the victim, Gemini displays the phishing message. That is because Gemini prioritizes the text wrapped in <admin> tags and reproduces it verbatim. 

As an example, Figueroa created an email that would cause Gemini to display a message informing the victim that their Gmail password has been compromised, instructing them to call a phone number to reset the password. The attacker could then phish the victim’s credentials when they get the call. 

Advertisement. Scroll to continue reading.

Google has been taking steps to mitigate prompt injection attacks and it recently summarized its work in this area. 

The company told SecurityWeek that it has not seen any evidence of this specific method being used in attacks.

“Defending against attacks impacting the industry, like prompt injections, has been a continued priority for us, and we’ve deployed numerous strong defenses to keep users safe, including safeguards to prevent harmful or misleading responses. We are constantly hardening our already robust defenses through red-teaming exercises that train our models to defend against these types of adversarial attacks,” a Google spokesperson said via email.

*updated with statement from Google

Related: Grok-4 Falls to a Jailbreak Two Days After Its Release

Related: ChatGPT Jailbreak: Researchers Bypass AI Safeguards Using Hexadecimal Encoding and Emojis

Related: New AI Jailbreak Bypasses Guardrails With Ease

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.