Skip to main content

The “Gemini Calendar” Leak — Today’s Trending AI Security Exploit

Category: AI Security

Researchers at Miggo Security have disclosed a critical indirect prompt injection flaw in Google Gemini. By deeply integrating with Google Calendar, the AI assistant has inadvertently opened a "semantic backdoor" that allows attackers to stealthily extract private data using nothing more than natural language.

Technical Breakdown — How the Attack Works

This is not a typical malware payload; it’s language-based contamination inside benign artifacts that the AI trusts and executes.

1. Attack Vector: Calendar Invite Injection

  • Entry point: A threat actor sends a malicious Google Calendar invite to the victim.

  • Payload location: Hidden inside the event description or body in plain text or disguised natural language.

  • The Ingestion Reality: Because Gemini ingests visible calendar metadata to be helpful, it may process event content once the invite becomes part of the user’s calendar context, even if the user never actively interacts with it.

2. Triggering via Routine Queries

The malicious payload stays dormant until the user asks Gemini a benign question:

👉 “What’s my schedule today?”

Gemini parses all relevant entries—including the one with the hidden malicious instructions—and interprets the hidden instruction as part of the user’s request.

3. Execution and Exfiltration

Once activated, the hidden prompt directs Gemini to:

  • Summarize private calendar meetings.

  • Create a new calendar event containing that summary.

  • In many enterprise or shared-calendar environments, this new “Shadow Event” may inherit sharing, synchronization, or domain-wide visibility rules, making sensitive summaries accessible beyond the victim’s intent.

Conceptual diagram of the Gemini Calendar leak showing an attacker's malicious invite triggering an unauthorized data summary via indirect prompt injection.

🧩 MITRE ATLAS Mapping (Emerging AI Threats)

Because prompt injection is an emerging AI-native attack class, the following mapping reflects best-fit alignment with MITRE ATLAS rather than a one-to-one traditional ATT&CK equivalence:

MITRE ATLAS Tactic (Best-Fit Alignment)TechniqueHow It Applies
Initial AccessPhishing/Calendar InvitationMalicious calendar invite sent to victim.
ExecutionIndirect Prompt InjectionAI executes hidden prompt during natural language processing.
PersistenceContext PoisoningPayload stays in calendar until queried.
Defense EvasionLanguage EvasionInstruction embedded in benign text that bypasses sanitizers.
ExfiltrationCalendar Event AbuseNew event with extracted data that may inherit sharing or domain visibility rules.

Indicators of Compromise (IOCs)

This class of attack doesn’t produce typical IOCs such as malware hashes. Defenders must monitor for behavioral anomalies:

  • Unknown Senders: Calendar invites received from unknown or unexpected external senders.

  • Automated Summaries: New events created automatically without user action.

    • Example: A calendar event titled ‘Weekly Sync’ suddenly contains a detailed summary of multiple unrelated private meetings in its description.

  • Unexpected API Calls: A spike in calendar creation/modification API calls not initiated by the user.

How to Mitigate and Defend

Immediate User-Focused Steps

  • Disable Auto-Add: In Google Calendar, go to Settings > Event Settings > Add invitations to my calendar. Select "When I respond to the invitation in email."

  • Verify Intent: Avoid asking AI assistants about your schedule if you’re unsure about the origins of recent invites.

  • Set Permissions: Apply strict user confirmations for AI actions involving data creation or sensitive exfiltration points.

Enterprise Controls

  • Sanitization Layers: Place input sanitization layers in front of AI-based assistants to strip "instructional" language from data sources.

  • Blue-Team Reality Check: These controls reduce risk but do not fully eliminate prompt injection, which remains a model-level limitation rather than a traditional vulnerability.

Broader Security Implications

Why This Worked:

Gemini was designed to be helpful, not suspicious. The attack succeeds because the model cannot reliably distinguish information meant to be read from instructions meant to be obeyed.

Google has acknowledged the issue and applied mitigations, but the underlying risk—AI interpreting data as intent—remains unresolved across the industry. This vulnerability is an early warning for the Agentic AI era, where systems don’t just answer questions, they take action.

Stay Alert. Stay Human. Stay Safe.ZyberWalls Research Team

Related From ZyberWalls Research:

Comments

Post a Comment

Popular Posts

Digital Arrest: Hacking the Human Operating System

Image
At Zyberwalls , we see cybersecurity differently. Most people think a "hack" is about clicking a bad link. But the Digital Arrest is the most dangerous attack in India today because it uses Social Engineering —hacking the human, not the machine. Here is the technical breakdown of how this "movie" is directed and how you can stop the show. 1. Reconnaissance: Weaponized OSINT Before the first call, scammers do their homework using OSINT (Open Source Intelligence) . The Tech: Scammers buy leaked databases from the dark web. They know your PII (Personally Identifiable Information)—Aadhaar, address, and bank name. The Human Side: A stranger calls and says, "Mr. Sharma, your Aadhaar ending in 1234 was used in a drug parcel." Because the data is correct, your "Trust Firewall" drops. In reality, he just bought a leaked Excel sheet for ₹500. 2. Vishing & Spoofing: The Fake Uniform Once they have your attention, they move to Vishing (Voice Phish...
Read more

WhisperPair (CVE‑2025‑36911): Bluetooth Earbuds Vulnerability Explained

Image
Category: Threat Intelligence / Cybersecurity Analysis Imagine your earbuds secretly listening to every word you say — during a meeting, a workout, or your commute — and even telling someone where you are. On January 16, 2026, researchers revealed that this nightmare is real. The WhisperPair flaw (CVE‑2025‑36911) in Google’s Fast Pair system lets hackers hijack your wireless earbuds, turning them into silent spies — without any notification, alert, or warning. The Reality Check The tiny earbuds you trust for music, calls, or workouts could be acting as remote “live bugs,” silently recording your most private conversations. Convenience has become the ultimate attack surface. The Anatomy of WhisperPair (CVE-2025-36911) The vulnerability stems from a logic flaw in the Google Fast Pair Service (GFPS), used by dozens of manufacturers worldwide. GFPS is meant to make pairing seamless, but it failed to check if your earbuds are in pairing mode . This “Zero-Click” entry point allows at...
Read more

The "OLE Bypass" Emergency: CVE-2026-21509 Deep Dive

Image
On January 26, 2026 , Microsoft took the rare step of releasing an out-of-band (OOB) emergency update . This was not routine patching. It was a response to active exploitation in the wild — real attackers using a real zero-day. This vulnerability matters not because it is new, but because it shows how modern attacks actually succeed . What Is OLE? (No Jargon) OLE (Object Linking and Embedding) is a Windows feature that allows one program to run inside another program. Common examples: An Excel sheet embedded inside Word A PDF object inside PowerPoint Auto-updating forms inside documents Behind the scenes, Word tells Windows: “Load this external object for me.” If that object is active, it can run code . This is where risk begins. Why OLE Still Exists (And Why That’s Dangerous) OLE is old — very old. But Microsoft cannot remove it because: Enterprises depend on it Government systems depend on it Legacy workflows would break instantly ...
Read more