Українська правда

Gemini vulnerability allows Gmail email summaries to be used for phishing

- 15 July, 09:43 AM

A critical vulnerability has been discovered in the Gemini email feature integrated into Gmail, which allows hackers to carry out phishing attacks through artificially generated email summaries. This is reported by the BleepiingComputer portal with reference to 0DIN.

The vulnerability was discovered by Marco Figueroa, Mozilla’s GenAI Bug Bounty Program Manager. Figueroa notes that attackers can hide instructions in the body of an email by formatting them in white and reducing the font to zero, making the text invisible to humans but accessible to Gemini’s analysis. As a result, the AI can automatically add false warnings, such as password breaches, to the summary, along with a fake support number.

Example of creating a malicious email
0DIN
Gemini summary result for hidden query
0DIN

While some users may not respond to such messages, others may be trapped by the emotional impact of such content. Figueroa notes that security teams can develop methods to detect hidden information, as well as analyze the summaries generated by AI for the presence of URLs, phone numbers or urgent messages.

BleepingComputer reached out to Google about this vulnerability in Gemini. A company representative responded that they have not yet seen any evidence of abuse, but added that Google is already working on protections and will soon implement additional security measures.

Load more