{"id":127375,"date":"2025-07-15T00:15:33","date_gmt":"2025-07-14T18:45:33","guid":{"rendered":"https:\/\/www.techworm.net\/?p=127375"},"modified":"2025-07-15T00:15:33","modified_gmt":"2025-07-14T18:45:33","slug":"hackers-use-hidden-text-to-trick-google-gemini","status":"publish","type":"post","link":"https:\/\/www.techworm.net\/2025\/07\/hackers-use-hidden-text-to-trick-google-gemini.html","title":{"rendered":"Hackers Use Hidden Text To Trick Google Gemini"},"content":{"rendered":"

Security researchers have discovered a stealthy new method to manipulate Google\u2019s Gemini AI assistant by hiding malicious commands in email code that Gemini unknowingly follows.<\/p>\n

These indirect prompt injection (IPI) methods allow scammers to plant fake alerts inside AI-generated summaries, making them appear as legitimate warnings from Google itself, eventually leading users straight into phishing traps.<\/p>\n

How The Exploit Works<\/strong><\/p>\n

Unlike traditional phishing scams that rely on shady links or attachments, this technique is far more subtle, as the trick lies in the email\u2019s code. Attackers hide instructions in emails using invisible text \u2014white font on a white background, zero-sized fonts, or off-screen elements. Though they remain unseen by the human eye, Gemini does see them and fully processes them.<\/p>\n

<\/p>\n

 <\/p>\n

Once the recipient clicks on \u201cSummarize this email\u201d in Google Workspace, Gemini scans the entire message, including the hidden sections. If those hidden parts contain malicious prompts, they are also included in the summary output.<\/p>\n

This results in a fake yet convincing security alert urging users to call a support phone number or take urgent action. Since the alert appears to come from Gemini itself, users may trust it, making the attack especially dangerous.<\/p>\n

Exploit Discovered Through A Bug Bounty Program<\/strong><\/p>\n

The prompt-injection vulnerability in Google Gemini for Workspace was disclosed to Mozilla\u2019s 0din bug bounty program<\/a> for generative AI tools by researcher Marco Figueroa, GenAI Bug Bounty Programs Manager at Mozilla. His demonstration showed how an attacker could embed hidden instructions using styling directives like <Admin> tags or CSS code, which are designed to hide content from human eyes, to trick Gemini.<\/p>\n

As Gemini treats such instructions as part of the prompt, it ends up repeating them as if they were part of the original message in its summary output, without realizing they were malicious.<\/p>\n

Figueroa provided a proof-of-concept example\u00a0to demonstrate how Gemini could be tricked into displaying a fake security alert, warning the user that their Gmail password had been compromised and providing a fraudulent support number to call.<\/p>\n

<\/p>\n

 <\/p>\n

Why This Matters<\/strong><\/p>\n

The attack is a form of indirect prompt injection, where malicious input is buried within content the AI is supposed to summarize. This has become a growing concern as generative AI becomes integrated into daily workflows. With Gemini integrated across Google Workspace\u2014Gmail, Docs, Slides, and Drive\u2014any system where the assistant analyzes user content is potentially vulnerable.<\/p>\n

What makes it more dangerous is that these summaries can seem very convincing. If Gemini includes a fake security warning, users might take it seriously as they trust Gemini as part of Google Workspace without realizing it\u2019s actually a hidden malicious message.<\/p>\n

Google\u2019s Multi-Layered Defense Strategy<\/strong><\/p>\n

In response, Google has rolled out a layered defense system for Gemini that is designed to make these attacks harder to pull off. Measures include:<\/p>\n