How a routine calendar invite became an attack vector and what researchers showed
Researchers demonstrated a novel Gemini vulnerability that lets a malicious Google Calendar invite hide instructions in the event title. When a user asks Gemini routine questions—such as “What are my calendar events today?”—the assistant pulls event text into its context window and can treat the hidden instruction as part of the conversation. That behavior allowed the team to trigger Gemini agents and tools on the device without any unusual clicks by the user.
What attackers could make Gemini do (capabilities demonstrated)
The SafeBreach-led proof-of-concept showed a wide range of actions attackers could trigger once Gemini treated the malicious event text as a valid instruction. Demonstrated capabilities included:
- Exfiltrating email content and calendar data
- Triggering Zoom calls and video streams
- Opening apps on Android and retrieving the target’s IP address
- Using Google Home integrations to control smart-home devices
- Deleting or editing calendar events
Researchers emphasized this is a downside of broad tool permissions: the same access that makes Gemini useful also expands what a successful prompt injection can achieve.
How the attack works in practice (mechanics, stealth and limits)
The attack relies on an indirect prompt injection—malicious instructions are embedded in ordinary text fields such as the calendar event title. When Gemini assembles context from Calendar, it includes that malicious title and follows it as if it were a user instruction. The exploit does not require white-box access to the model and was not blocked by Gemini’s prompt filters in the researchers’ tests.
To remain stealthy, attackers may send multiple invites. SafeBreach noted that Calendar’s interface shows only the five most recent events; a sixth invite carrying the malicious prompt can remain hidden under “Show more” while still being parsed by Gemini. Victims are unlikely to spot the malicious title unless they manually expand the events list.
Who published the research and where the findings appeared
The work—titled “Invitation Is All You Need” in the research disclosure—involved SafeBreach researchers and collaborators from Israeli universities. The team published a detailed report and demonstrations showing how ordinary Calendar invites, file names or document titles can act as carriers for targeted prompt-injection attacks against Gemini agents. The research underscores the practical risks of retrieval-augmented model use in connected workflows.
Last month, Mozilla-linked researcher Marco Figueroa also highlighted related prompt-injection issues against Gemini, showing how hidden or white-on-white HTML in emails can compel Gemini to generate misleading summaries that look like legitimate alerts—further illustrating the cross-product risk.
Google’s response and mitigation status
Google says it has already fixed the specific bug reported by the researchers and is rolling out layered defenses to guard against indirect prompt injections across Gemini integrations. In a statement, Andy Wen, senior director of security product management for Google Workspace, praised the responsible disclosure and said the fix was deployed before the issue could be exploited in the wild:
“We fixed this issue before it could be exploited thanks to the great work and responsible disclosure by Ben Nassi and team.”
Google also said it is deploying machine-learning detectors, output filters, and additional controls to require user confirmation for sensitive actions where appropriate.
