Google Gemini Vulnerable to Hidden Prompt Injection via Calendar Invites

Israeli researchers have uncovered a significant vulnerability in Google’s Gemini assistant, demonstrating how the AI can be manipulated to leak sensitive data or even control physical devices through hidden instructions embedded in everyday digital items. A new study, provocatively titled “Invitation Is All You Need,” details how Gemini-powered systems are susceptible to what the researchers term “targeted promptware attacks.” These sophisticated yet simple exploits stand apart from traditional hacking methods, as they demand no direct access to the AI model itself nor any specialized technical expertise from the attacker.

Instead, the attack relies on an insidious form of “indirect prompt injection,” where malicious commands are concealed within seemingly innocuous content such as emails, calendar invitations, or shared Google Docs. When a user interacts with Gemini—perhaps by asking for assistance within Gmail, Google Calendar, or through Google Assistant—the hidden prompt is activated, effectively hijacking the AI’s intended function. The consequences of such an attack are far-reaching, ranging from the dispatch of spam emails and the deletion of scheduled appointments to the unauthorized control of smart home devices. In a striking demonstration, the researchers successfully used these hidden prompts to manipulate a smart home system, turning off lights, opening windows, and even activating a boiler, all triggered by seemingly harmless phrases like “thank you” or “great.”

The study meticulously outlines five distinct categories of these attacks and presents fourteen realistic scenarios that could compromise both digital and physical systems. These include short-term context poisoning, which immediately influences Gemini’s current task; long-term manipulation of stored user data; exploitation of internal Google tools; escalation to other Google services like Google Home; and the remote launching of third-party applications such as Zoom on Android devices.

The ease with which these large language models can be compromised is a significant concern. Since these attacks do not necessitate direct model access, specialized hardware, or machine learning expertise, attackers can simply craft malicious instructions in plain English and embed them where Gemini is likely to process them. Utilizing their TARA risk analysis framework, the researchers assessed the potential threats, finding that a substantial 73% fell into the “high-critical” risk category. This alarming combination of simplicity and severity underscores an urgent need for more robust security measures.

Security experts have been aware of such vulnerabilities since the early days of large language models, with simple prompts like “ignore previous instructions” proving capable of breaching security barriers in models as far back as GPT-3. Despite advancements, even today’s most sophisticated AI models remain susceptible, and a definitive, reliable fix—particularly for agent-based systems that interact directly with the real world—remains elusive. Recent comprehensive testing has revealed that every major AI agent has, at a minimum, failed at least one critical security assessment.

Google, having been alerted to these vulnerabilities in February 2025, responded by requesting 90 days to implement countermeasures. Since then, the company has reportedly deployed several safeguards. These include mandatory user confirmations for sensitive actions, enhanced detection and filtering mechanisms for suspicious URLs, and the introduction of a new classifier specifically designed to identify and neutralize indirect prompt injections. Google asserts that it has internally tested all identified attack scenarios, alongside additional variants, and confirms that these new defenses are now actively deployed across all Gemini applications. The groundbreaking research was a collaborative effort by teams from Tel Aviv University, the Technion, and the cybersecurity firm SafeBreach.