Recent research published by Israeli researchers shows that Google's Gemini assistant may have significant security vulnerabilities. Attackers do not need advanced technical skills; they can use simple instructions hidden in everyday content to exploit the Gemini assistant to access sensitive data or even remotely control physical devices.
A new study titled "Just an Invite" demonstrates that assistants based on Gemini are vulnerable to so-called "targeted prompt injection attacks". Unlike traditional hacking attacks, these do not require direct access to AI models or technical expertise. Instead, malicious instructions are hidden in seemingly harmless emails, calendar invitations, or shared documents. When users seek help from Gemini in Gmail, Google Calendar, or Google Assistant, these hidden instructions are activated and executed.
The research team demonstrated the severity of this attack in a demonstration. Attackers can use modified Gmail messages or Google Calendar invitations to control smart home devices, record Zoom calls, or track user locations. By using some seemingly harmless words, such as "Thank you" or "Great", researchers successfully turned off lights, opened windows, and even started a home boiler remotely.
Multiple Attack Risks, Security Vulnerabilities Require Immediate Attention
Researchers outlined five potential types of attacks and 14 real-world scenarios, which could simultaneously threaten digital and physical systems. These include:
Short-term context poisoning: Attackers influence Gemini's response temporarily through malicious instructions.
Long-term manipulation of stored data: Using Gemini's data storage function, attackers manipulate information over a long period.
Exploiting internal tools: Abuse Gemini's internal tools for malicious purposes.
Escalation to other Google services: Penetrate into other Google services such as Google Home through Gemini.
Launching third-party applications: Remotely launch third-party applications like Zoom on Android devices.
Google Introduces Fixes to Address Threats
The researchers evaluated these threats using the TARA risk analysis framework and found that 73% of the threats fall into the "high-risk" category. This indicates that these attacks are not only easy to carry out but also have serious consequences, highlighting the urgency of strengthening security measures. Since GPT-3, security experts have been aware of the vulnerabilities in large language models (LLMs), such as simple "ignore previous instructions" prompts that can bypass security protections. This study further confirms that even the most advanced AI models today still have these vulnerabilities.
After learning about these vulnerabilities in February 2025, Google has implemented multiple security measures to fix them, including forcing users to confirm sensitive operations, enhancing detection and filtering of suspicious URLs, and using new classifiers to capture indirect prompt injections. Google stated that these defensive measures have been enabled in all Gemini applications and completed internal testing.
This study was conducted by teams from Tel Aviv University, the Technion-Israel Institute of Technology, and the security company SafeBreach.