Security researchers recently discovered a clever new way to trick Google’s Gemini AI into handing over private information. Using a technique called “prompt injection,” attackers can now steal sensitive information directly from a user’s Google Calendar.
For a long time, experts have warned about prompt injection. This happens when someone hides a secret command inside a normal-looking message. Because AI models cannot distinguish between a helpful instruction and the data they are supposed to analyze, they often end up following the hidden command by mistake. While hackers previously used emails for these attacks, researchers at Miggo Security found that Google Calendar is just as vulnerable.
The attack starts with a simple calendar invitation. A hacker creates a new event and adds a malicious command to its description. They then send this invite to the victim’s email address. The attack occurs when the victim asks Gemini to check their schedule or summarize their upcoming meetings.
When Gemini looks at the calendar to answer the user’s question, it sees the hacker’s hidden command. Instead of just reading the event, the AI follows the secret instructions. In testing, the researchers watched as Gemini created a brand-new calendar event. It then wrote a full summary of the victim’s private meetings into the description of that new event and shared it back with the attacker.
The scariest part of this discovery is that it requires almost no effort from the victim. They don’t have to click a suspicious link or download a file. Simply asking the AI to do its job—managing a daily schedule—is enough to give a hacker access to private enterprise data.
Miggo Security noted that in many office settings, these new “summary” events are visible to the person who sent the original invite. This allows the hacker to read sensitive corporate information without the victim ever realizing anything went wrong. This flaw highlights a major problem with current AI. As long as these systems treat every piece of text as a valid command, hackers will continue to find ways to turn our digital assistants against us.
