A serious flaw in Google Gemini for Workspace has been discovered by security researchers, allowing threat actors to insert malicious instructions into emails.
The attack uses the AI assistant's "Summarize this email" function to show fake security alerts that seem to be from Google, which could result in social engineering and credential theft.
Key Takeaways
- Attackers hide malicious instructions in emails using invisible HTML/CSS that Gemini processes when summarizing emails.
- Attack uses only crafted HTML with tags—no links, attachments, or scripts required.
- Gemini displays attacker-created phishing warnings that appear to come from Google, tricking users into credential theft.
- Vulnerability affects Gmail, Docs, Slides, and Drive, potentially enabling AI worms across Google Workspace.
A researcher that reported their findings to 0DIN with submission ID 0xE24D9E6B demonstrated the vulnerability. Through carefully constructed HTML and CSS code inserted into email communications, the attack uses a prompt-injection technique to influence Gemini's AI processing capabilities.
In contrast to conventional phishing attempts, this attack just needs specially prepared text concealed within the email body—no links, attachments, or external scripts are needed.
The way Gemini handles hidden HTML directives is exploited in this attack. Attackers use CSS styling, such as white-on-white text or zero font size, to render the information invisible to recipients while embedding instructions inside <Admin> elements.
The AI assistant interprets the hidden directive as a valid system command when victims click Gemini's "Summarize this email" feature, accurately replicating the attacker's fake security alert in its summary output.
Google Gemini for Workplace Risk Assessment
The flaw is an example of indirect prompt injection (IPI), in which the AI model receives external input that includes concealed instructions that are incorporated into the effective prompt. This attack has a moderate social impact score and is classified by security professionals as "Stratagems → Meta-Prompting → Deceptive Formatting" under the 0DIN taxonomy.
Attackers can inject invisible spans with admin-style instructions that instruct Gemini to append urgent security warnings to email summaries, as shown in a proof-of-concept example.
In order to facilitate voice-phishing or credential harvesting, these alerts usually encourage consumers to visit websites or call particular phone numbers.
The vulnerability may impact Gemini integration across Google Workspace, including Docs, Slides, and Drive search functions, in addition to Gmail. This makes any workflow containing third-party content that Gemini processes a possible injection route, creating a sizable cross-product attack surface.
Security experts caution that hacked SaaS accounts may become "thousands of phishing beacons" via ticketing emails, CRM programs, and automated mailings.
Future "AI worms" that could reproduce themselves throughout email networks and progress from isolated phishing efforts to autonomous dissemination are another worry raised by the technique.