A cybersecurity researcher has found that Gemini, the AI tool integrated into Gmail, is vulnerable to a specific kind of manipulation that does not require traditional phishing techniques like links or malware. Instead, this vulnerability uses hidden text in emails to deceive the AI into generating malicious summaries, potentially tricking users without them realizing anything is wrong. The issue highlights new challenges that come with integrating AI into core communication tools like email.
The vulnerability was demonstrated by Marco Figueroa, who currently manages Mozilla’s GenAI bug bounty programme called 0din. In his research, he showed how attackers can use a method known as prompt injection to send hidden instructions within an email. These instructions are invisible to the recipient but are picked up by the AI when it summarizes the content of the email. This could lead to Gemini producing a summary that includes harmful or misleading messages, presented as if they are legitimate information.
The process involves embedding a hidden prompt inside an email by using a white font on a white background or using HTML and CSS tricks like setting the font size to zero or placing the text off-screen. Because there are no links, attachments, or obvious signs of danger, these emails can bypass common spam filters and land directly in the user’s main inbox. The attack is particularly effective when the prompt is enclosed in what appears to be an administrative instruction, which Gemini treats as a high-priority command.
What makes this more concerning is how convincingly the AI presents the altered content. When a user clicks the “summarise email” option, Gemini reads the hidden prompt and includes the attacker’s message as part of the summary. Since this output comes from Gemini and not from the original email sender, users may be more inclined to trust it. This opens the door for scams where AI is unknowingly used to build credibility around a malicious request.
Screenshots shared by the researcher show that Gemini followed the injected prompts precisely and included the attacker’s message in the summary. In a real-world scenario, this could be used to convince users to share sensitive data, click on dangerous links in follow-up messages, or take other compromising actions.
Google has acknowledged the issue but stated that there is no evidence so far of it being used in the wild. However, the company has also confirmed it is working on defenses to prevent such prompt injection attacks. This discovery emphasizes the importance of constantly monitoring AI-powered systems, especially those integrated into services as widely used as Gmail. As more AI tools are embedded into everyday applications, their ability to safely process user data becomes critical.
While Gemini’s features are designed to make communication faster and more productive, users must be cautious. The rise of invisible manipulation techniques like this prompt injection shows that even tools meant to help us can be turned into weapons by bad actors. It also underlines the urgent need for tech companies to design AI systems that can resist such subtle forms of exploitation.
For more updates on AI safety, cybersecurity news, and Gmail innovations, follow Tech Moves on Instagram and Facebook.
