A Google Calendar Flaw Could Allow Hijacking Gemini Via Invites

26

Researchers discovered a major security flaw in Google Calendar that could allow hijacking Gemini agents via malicious invites. Google patched the flaw following the bug report, ensuring users’ security.

Malicious Invites Could Exploit Google Calendar Flaw To Leak Data

Researchers from SafeBreach discovered a serious vulnerability in Google Calendar that could risk users’ security. As elaborated in their blog post, the security flaw could allow an attacker to hijack Gemini agents on the target device via maliciously crafted Google Calendar invites. In turn, this would allow the attacker to access sensitive data via Gemini without requiring user interaction.

Briefly, the attack begins when the attacker sends a malicious Calendar invite to the target user. The attack involves embedding the malicious prompt within the invite’s event title, so it can be pulled up after the target user asks Gemini about the calendar invites.

As Gemini executes the malicious prompt, considering it a part of the context, it would perform the required malicious action without identifying the intent. This prompt could require any malicious function from the attacker, such as meddling with Calendar events, extracting the user’s IP address via a URL, or interacting with other agents, such as Google Home, Messages, Phone, or other applications like Zoom, performing various activities, like joining a call or fetching data, without user input.

The following diagram illustrates the attack flow.

Source: SafeBreach

In their study, the researchers demonstrated “context poisoning” – a technique where the LLM is tricked into considering the entire conversation history by sending one query at a time. Injecting a malicious instruction into a long conversation would trick the model into executing the activity. The researchers conducted various types of attacks this way, such as spamming the user, generating hateful content, invoking tools and apps, visiting URLs, and exfiltrating data.

Google Deployed Mitigations

Following the researchers’ report, Google acknowledged their efforts and deployed mitigation strategies to prevent promptware attacks. According to their blog post published in June 2025, Google strengthened the latest Gemini models (v2.5 and later) with layered defense strategies to prevent promptware. These include:

1. Prompt injection content classifiers: The model analyzes the instructions and avoids responding to malicious instructions.
2. Security thought reinforcement: In case of detecting partial instructions as malicious, such as in prompt injection attacks, the model only focuses on the task, ignoring malicious instructions.
3. Markdown sanitization and suspicious URL redaction: The model analyzes external URLs and removes them from the output upon detecting malicious links.
4. User confirmation framework: For instructions including suspicious actions, like deleting Calendar events, the model asks for user confirmation before performing the action.
5. End-user security mitigation notifications: Users receive notifications highlighting Gemini’s activities upon detecting potentially malicious elements, such as the removal of suspicious URLs.

Promptware Threats Are Rising

The report from SafeBreach, according to the researchers, doesn’t specifically apply to Gemini. Instead, it indicates the widespread impact of the rising threat in the cybersecurity world – promptware. As AI usage becomes common, promptware threats gain even more importance for timely mitigation.

Nonetheless, SafeBreah isn’t the first to point out this threat. In 2024, a team of researchers shared a detailed research paper about promptware threats impacting generative AI apps. The researchers also proposed various mitigation strategies to avoid these threats.

Let us know your thoughts in the comments.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!