A critical vulnerability has been detected in the Gemini function integrated into Gmail, allowing hackers to execute phishing attacks via artificially generated email summaries. This was reported by the BleepingComputer portal, citing information from 0DIN.

The flaw was discovered by Marco Figueroa, the manager of Mozilla's GenAI Bug Bounty program. According to Figueroa, attackers can hide instructions within the body of an email by formatting them in white and reducing the font size to zero, making the text invisible to the human eye but still accessible for Gemini analysis. As a result, AI can automatically add false warnings to the summary, such as alerts about a password breach, along with a fake support number.

While some users may ignore such messages, others could fall victim due to the emotional impact of such content. Figueroa emphasizes that security teams can develop methods for detecting hidden information and analyze the summaries generated by AI for the presence of URLs, phone numbers, or urgent messages.

BleepingComputer reached out to Google regarding this vulnerability in Gemini. A company representative stated that no evidence of exploitation has been seen so far, but added that Google is already working on protective measures and will soon implement additional security protocols.

6285 image for slide
zoom Created with Sketch Beta.
6286 image for slide
zoom Created with Sketch Beta.
6287 image for slide
zoom Created with Sketch Beta.