Content
summary Summary

Israeli researchers have discovered that Google's Gemini assistant can be tricked into leaking sensitive data or controlling physical devices through hidden instructions buried in something as ordinary as a calendar invitation.

Ad

A new study, "Invitation Is All You Need", demonstrates how Gemini-based assistants can be compromised by what the researchers call "targeted promptware attacks." Unlike traditional hacking, these attacks don't require direct access to the AI model or any technical expertise.

Instead, attackers hide their instructions in everyday items like emails, calendar invites, or shared Google Docs. When someone asks Gemini for help in Gmail, Google Calendar, or even Google Assistant, the hidden prompt activates and takes over.

Flowchart: Email/calendar link triggers indirect prompt injection in Gemini, activates smart home devices and monitoring via Zoom and location.
Indirect prompt injection lets attackers use altered Gmail messages or Google Calendar invites to compromise Gemini, allowing them to control smart home devices, record calls on Zoom, or track a user's location. | Image: Nassi et al.

The consequences can be anything from sending spam and deleting appointments to hijacking smart home devices. In one demo, the researchers managed to turn off lights, open windows, and activate a home boiler—all triggered by seemingly harmless phrases like "thank you" or "great."

Ad
Ad

The study outlines five types of attacks and 14 realistic scenarios that could compromise digital and physical systems: short-term context poisoning, long-term manipulation of stored data, exploitation of internal tools, escalation to other Google services like Google Home, and launching third-party apps such as Zoom on Android.

Hacking large language models is dangerously easy

Because these attacks don't require access to the model, specialized hardware, or machine learning expertise, attackers can simply write malicious instructions in plain English and hide them where Gemini will process them. Using their TARA risk analysis framework, the researchers found that 73% of the threats fell into the "high-critical" category. The fact that these attacks are both easy and serious shows just how badly better protections are needed.

Table: Threat analysis with attack classes, vectors, and color-coded impact, likelihood, and risk scores.
The TARA analysis found that 73% of the threats pose high to critical risks, highlighting the urgent need for stronger security measures. | Image: Nassi et al.

Security experts have known since GPT-3 that simple prompts like "ignore previous instructions" can break through LLM security barriers. Even today's most advanced models are still vulnerable, and there's no reliable fix in sight—especially for agent-based systems that interact with the real world. Recent testing has shown that every major AI agent has failed at least one critical security test.

Google rolls out technical fixes

Google learned about the vulnerabilities in February 2025 and requested 90 days to respond. Since then, the company has put several safeguards in place: mandatory user confirmations for sensitive actions, stronger detection and filtering of suspicious URLs, and a new classifier to catch indirect prompt injections. Google says it tested all attack scenarios internally, including additional variants, and that these defenses are now active in all Gemini applications.

The research was conducted by teams from Tel Aviv University, the Technion, and security company SafeBreach. The title of the study is a reference to "Attention Is All You Need", the influential paper that sparked the large language model revolution.

Ad
Ad
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.
Recommendation
Support our independent, free-access reporting. Any contribution helps and secures our future. Support now:
Bank transfer
Summary
  • Researchers have demonstrated that Google's Gemini assistant can be manipulated through simple, hidden instructions placed in emails, calendar entries, or documents, requiring no technical expertise from the attacker.
  • By inserting a malicious command into otherwise innocent-looking text, attackers can trigger the assistant to disclose sensitive information, remove appointments, or even control smart home devices once it processes the content.
  • The study rates 73% of potential attacks as highly critical and details 14 ways digital and physical assets could be easily compromised through this method.
Sources
Matthias is the co-founder and publisher of THE DECODER, exploring how AI is fundamentally changing the relationship between humans and computers.
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.