Google Gemini exploited to leak private Calendar data through malicious invites

Gemini AI assistant tricked into leaking Google Calendar data

Using only natural language instructions, researchers were able to bypass Google Gemini's defenses against malicious prompt injection and create misleading events to leak private Calendar data. Sensitive data could be exfiltrated this way, delivered to an attacker inside the description of a Calendar event. Gemini is Google's large language model (LLM) assistant, integrated across multiple Google web services and Workspace apps, including Gmail and Calendar. It can summarize and draft emails, answer questions, or manage events. The recently discovered Gemini-based Calendar invite attack starts by sending the target an invite to an event with a description crafted as a prompt-injection payload. To trigger the exfiltration activity, the victim would only have to ask Gemini about their schedule. This would cause Google's assistant to load and parse all relevant events, including the one with the attacker's payload. Researchers at Miggo Security, an Application Detection & Response (ADR) platform, found that they could trick Gemini into leaking Calendar data by passing the assistant natural language instructions: "Because Gemini automatically ingests and interprets event data to be helpful, an attacker who can influence event fields can plant natural language instructions that the model may later execute," the researchers explain. By controlling the description field of an event, they discovered that they could plant a prompt that Google Gemini would obey, although it had a harmful outcome. Once the attacker sent the malicious invite, the payload would be dormant until the victim asked Gemini a routine question about their schedule. When Gemini executes the embedded instructions in the malicious Calendar invite, it creates a new event and writes the private meeting summary in its description. In many enterprise setups, the updated description would be visible to event participants, thus leaking private and potentially sensitive information to the attacker. Miggo comments that, while Google uses a separate, isolated model to detect malicious prompts in the primary Gemini assistant, their attack bypassed this failsafe because the instructions appeared safe. Prompt injection attacks via malicious Calendar event titles are not new. In August 2025, SafeBreach demonstrated that a malicious Google Calendar invite could be used to leak sensitive user data by taking control of Gemini's agents. Miggo's head of research, Liad Eliyahu, told BleepingComputer that the new attack shows how Gemini's reasoning capabilities remained vulnerable to manipulation that evades active security warnings, and despite Google implementing additional defenses following SafeBreach's report. Miggo has shared its findings with Google, and the tech giant has added new mitigations to block such attacks. However, Miggo's attack concept highlights the complexities of foreseeing new exploitation and manipulation models in AI systems whose APIs are driven by natural language with ambiguous intent. The researchers suggest that application security must evolve from syntactic detection to context-aware defenses.

This Gemini Calendar trick turns a simple invite into a privacy nightmare

Google was duly notified and has added new protections, but the issue highlights how AI features can be abused through natural language. Google recently made Gemini a lot more useful by letting it work across multiple Calendars, not just your primary one. You can now ask about events or create new meetings across secondary calendars using natural language. But just as that update rolled out, security researchers shared a worrying new finding about how Gemini can be exploited to access someone's private and confidential Calendar information. Researchers at Miggo Security (via BleepingComputer) discovered a way to abuse Gemini's deep integration with Google Calendar to access private calendar data using nothing more than a calendar invite. The exploit doesn't rely on malware or suspicious links. Instead, it hides within a Calendar invite in plain sight. An attacker sends a calendar invite with carefully written text in the event description. It looks harmless to a user, but Gemini treats it as a natural-language prompt. Nothing happens right away, and the invite just sits on the user's calendar. The problem starts later. If the user asks Gemini something simple like, "Am I free on Saturday?", Gemini scans all calendar events to answer the question, including the malicious one. That's when the hidden instructions kick in. In Miggo's test, Gemini summarized the user's meetings for a specific day, created a new calendar event, and quietly pasted that private meeting summary into the event's description. Gemini then replied to the user with a perfectly harmless message, such as "it's a free time slot." So what happens is that the newly created event containing all of the users' private meeting details becomes visible to the attacker, without the user ever realizing their data has been compromised. According to the researchers, the attack works because the instructions appear to be regular language commands, not malicious code. That makes them hard for traditional security systems to detect. Miggo says it responsibly disclosed the issue to Google, and the company has since added new protections to block this type of attack. However, this isn't the first time security researchers have used a prompt-injection attack via Google Calendar invites. Researchers at SafeBreach previously demonstrated how a poisoned calendar invite could hijack Gemini and help control smart home devices. Speaking to BleepingComputer, Miggo's head of research, Liad Eliyahu, said the latest attack method shows how Gemini's reasoning abilities can still be manipulated to bypass active security warnings, despite the security modifications Google made after the SafeBreach attack.

Researchers got Gemini AI to leak Google Calendar data, they claim

Google's Gemini AI assistant can be coerced into sharing private user data, according to researchers. Credit: Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images Google's AI assistant Gemini has surged to the top of AI leaderboards since the search giant's latest update last month. However, cybersecurity researchers say the AI chatbot still has some privacy problems. Researchers with the app security platform Miggo Security recently released a report detailing how they were able to trick Google's Gemini AI assistant into sharing sensitive user calendar data (as first reported by Bleeping Computer) without permission. The researchers say they accomplished this with nothing more than a Google Calendar invite and a prompt. The report, titled Weaponizing Calendar Invites: A Semantic Attack on Google Gemini, explains how the researchers sent an unsolicited Google Calendar invite to a targeted user and included a prompt that instructed Gemini to do three things. The prompt requested that Gemini summarize all of the Google Meetings the targeted user had in a specific day, take that data and include it in the description of a new calendar invite, and then hide all of this from the targeted user by informing them "it's a free time slot" when asked. According to researchers, the attack was activated when the targeted user asked Gemini about their schedule that day on the calendar. Gemini responded as requested, telling the user, "it's a free time slot." However, the researchers say it also created a new calendar invite with a summary of the target user's private meetings in the description. This calendar invite was then visible to the attacker, the report says. Miggo Security researchers explain in their report that "Gemini automatically ingests and interprets event data to be helpful," which makes it a prime target for hackers to exploit. This type of attack is known as an Indirect Prompt Injection, and it's starting to gain prominence among bad actors. As the researchers also point out, this type of vulnerability among AI assistants is not unique to Google and Gemini. The report includes technical details about the security vulnerability. In addition, the Miggo Security researchers urge AI companies to attribute intent to requested actions, which could help stop bad actors engaging in prompt injection attacks.

A Google Gemini security flaw let hackers use calendar invites to steal private data

Security researchers found yet another way to run prompt injection attacks on Google's Gemini AI, this time to exfiltrate sensitive Google Calendar data. Prompt injection is a type of attack in which the malicious actor hides a prompt in an otherwise benign message. When the victim tells their AI to analyze the message (or otherwise use it as data in its work), the AI ends up running the prompt and doing the actor's bidding. At its core, prompt injection is possible because AIs cannot distinguish between the instruction and the data used to execute that instruction. So far, prompt injection attacks were limited to email messages, and the instruction to summarize, or read emails. In the latest research, Miggo Security said the same can be done through Google Calendar. When a person creates a calendar entry, they can invite other participants by adding their email address. In this scenario, a threat actor can create a calendar entry that contains the malicious prompt (to exfiltrate calendar data) and invite the victim. The invitation is then sent in the form of an email, containing the prompts. The next step is for the victim to instruct their AI to check for upcoming events. The AI will parse the prompt, create a new Calendar event with the details, and add the attacker, directly granting them access to sensitive information. "This bypass enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction," the researchers told The Hacker News. "Behind the scenes, however, Gemini created a new calendar event and wrote a full summary of our target user's private meetings in the event's description," Miggo said. "In many enterprise calendar configurations, the new event was visible to the attacker, allowing them to read the exfiltrated private data without the target user ever taking any action." The issue has since been mitigated, Miggo confirmed. Via TheHackerNews

Indirect prompt injection in Google Gemini enabled unauthorized access to meeting data - SiliconANGLE

Indirect prompt injection in Google Gemini enabled unauthorized access to meeting data A new report out today from cybersecurity company Miggo Security Ltd. details a now-mitigated vulnerability in Google LLC's artificial intelligence ecosystem that allowed for a natural-language prompt injection potentially to bypass calendar privacy controls and exfiltrate sensitive meeting data via Google Gemini. The issue arose from Gemini's deep integration with Google Calendar, which allows the AI to parse event titles, descriptions, attendees and timing to answer routine user queries such as schedule summaries. Miggo's researchers found that by embedding a carefully worded prompt into the description field of a calendar invite, an attacker could plant a dormant instruction that Gemini would later execute when triggered by a normal user request. The attack relied entirely on natural language and no malicious code was required. The exploit involved three stages. The first stage involves an attacker sending a calendar invite containing a harmful but syntactically benign instruction that directed Gemini to summarize a user's meetings, create a new calendar event and store that summary in the event description. In the second stage, the payload remains inactive until the user asks Gemini a routine question about their schedule, causing the assistant to ingest and interpret all relevant calendar entries. The third stage then sees Gemini carrying out the embedded instructions and creating a new event that contained summaries of private meetings. In some enterprise configurations, that newly created event was visible to the attacker and provided unauthorized access to sensitive data without any direct user interaction. Miggo's researchers describe the methodology as a form of indirect prompt injection leading to an authorization bypass. The exploit evaded various defenses to detect malicious prompts because the instructions appeared plausible in isolation and only became dangerous when executed with Gemini's tool-level permissions. Google confirmed the findings and has since mitigated the vulnerability. The researchers argue that while the specific flaw may have been fixed, the incident highlights a broader shift in application security. To protect against such future events, the researchers say that "defenders must evolve beyond keyword blocking." "Effective protection will require runtime systems that reason about semantics, attribute intent and track data provenance," the report concludes. "In other words, it must employ security controls that treat large language models as full application layers with privileges that must be carefully governed."

Miggo Security bypasses Google Gemini defenses via calendar invites

Researchers bypassed Google Gemini's defenses to exfiltrate private Google Calendar data using natural language instructions. The attack created misleading events, delivering sensitive data to an attacker within a Calendar event description. Gemini, Google's large language model (LLM) assistant, integrates across Google web services and Workspace applications such as Gmail and Calendar, summarizing emails, answering questions, and managing events. The newly identified Gemini-based Calendar invite attack begins when a target receives an event invitation containing a prompt-injection payload in its description. The victim triggers data exfiltration by asking Gemini about their schedule, which causes the assistant to load and parse all relevant events, including the one with the attacker's payload. Researchers at Miggo Security, an Application Detection & Response (ADR) platform, discovered they could manipulate Gemini into leaking Calendar data through natural language instructions: "Because Gemini automatically ingests and interprets event data to be helpful, an attacker who can influence event fields can plant natural language instructions that the model may later execute," the researchers said. They controlled an event's description field, planting a prompt that Google Gemini obeyed despite the harmful outcome. Upon sending the malicious invite, the payload remained dormant until the victim made a routine inquiry about their schedule. When Gemini executed the embedded instructions in the malicious Calendar invite, it created a new event and wrote the private meeting summary into its description. In many enterprise configurations, the updated description became visible to event participants, potentially leaking private information to the attacker. Miggo noted that Google employs a separate, isolated model to detect malicious prompts in the primary Gemini assistant. However, their attack bypassed this safeguard because the instructions appeared innocuous. Miggo's head of research, Liad Eliyahu, told BleepingComputer that the new attack demonstrated Gemini's reasoning capabilities remained susceptible to manipulation, circumventing active security warnings and Google's additional defenses implemented after SafeBreach's August 2025 report. SafeBreach previously showed that a malicious Google Calendar invite could facilitate data leakage by seizing control of Gemini's agents. Miggo shared its findings with Google, which has since implemented new mitigations to block similar attacks. Miggo's attack concept highlights the complexities of anticipating new exploitation and manipulation models in AI systems where APIs are driven by natural language with ambiguous intent. Researchers suggested that application security must transition from syntactic detection to context-aware defenses.