AI-GEMINI-WORKSPACE-2025
Google Gemini · Gemini for Workspace email summarization
Summary
Marco Figueroa of Mozilla's 0DIN program documented a Gemini for Workspace flaw where an attacker hides instructions inside an email using tags styled with font-size zero or white-on-white text, invisible to the recipient. When the user clicks Summarize this email, Gemini processes the raw HTML and treats the hidden directive as a high-priority instruction, appending an attacker-crafted fake security warning, such as a fake support phone number, that appears to come from Google. No links or attachments are required, enabling credential harvesting and vishing at scale through indirect prompt injection.
How to avoid it in your code
- Strip hidden HTML (font-size zero, white-on-white) before the model summarizes email.
- Treat email content as untrusted data, not high-priority instructions.
- Sanitize/encode model output so injected fake warnings and phone numbers are not surfaced as trusted.
- Flag AI summaries as untrusted and warn users not to act on embedded contact details.
- Apply input guardrails to detect injected directives in retrieved content.
References
- https://0din.ai/blog/phishing-for-gemini
- https://www.tomshardware.com/tech-industry/cyber-security/investigation-reveals-google-gemini-for-workspace-flaw-that-could-have-been-exploited-to-enlist-the-ai-in-phishing-schemes-summarize-this-email-tool-would-faithfully-obey-malicious-instructions-hidden-inside-an-email
- https://cybersecuritynews.com/hackers-exploit-gemini-prompt-injection/
Related vulnerabilities
All AI/LLM →- HIGHAI-SHADOWLEAK-2025
ShadowLeak is a server-side zero-click indirect prompt-injection attack against ChatGPT's Deep Research agent, discovered by Radware. An attacker emails the victim a message with instructions hidden in the HTML using white-on-white text and tiny fonts; when the user runs Deep Research over their inbox, the agent autonomously follows the hidden instructions and exfiltrates personal and inbox data. The distinguishing trait is that exfiltration occurs entirely server-side within OpenAI's cloud infrastructure, making it invisible to local and enterprise network defenses. The Gmail proof of concept generalizes to any Deep Research connector; OpenAI fixed it before public disclosure with no evidence of in-the-wild exploitation.
- HIGHAI-SLACK-PROMPT-INJECTION-2024
PromptArmor disclosed an indirect prompt-injection data-exfiltration flaw in Slack AI. An attacker with only the ability to post in a public channel plants adversarial instructions; when any Slack AI user later queries the assistant, the model ingests the planted text and follows it. The injection makes Slack AI render a deceptive Markdown link whose URL encodes private-channel data in the query string, so clicking it exfiltrates the secret to the attacker's server. A subsequent Slack update that added files from channels and DMs to AI answers widened the attack surface.
- HIGHAI-CHATGPT-MARKDOWN-EXFIL-2023
Johann Rehberger showed that ChatGPT auto-renders Markdown image syntax, so an indirect prompt injection from a retrieved web page or document can instruct the model to URL-encode prior conversation data and embed it as a query parameter in an image URL pointing to an attacker server. Merely rendering the image silently exfiltrates the data, and the same trick can chain plugins in what he called Cross Plugin Request Forgery. He reported it to OpenAI in April 2023; a 2024 follow-up named SpAIware reused the same channel plus ChatGPT's Memory feature to achieve persistent exfiltration on the macOS app, later fixed with a url_safe API check.
- HIGHAI-CLAUDECODE-SOURCEMAP-2026
On March 31, 2026, Anthropic accidentally shipped the full source of its Claude Code CLI inside a published npm package. A missing .npmignore rule for *.map left a roughly 59.8 MB source map in the tarball, embedding about 512,000 lines of unobfuscated TypeScript across some 1,900 files, including internal prompts, tool definitions and architecture. The root cause was a packaging failure compounded by a bundler bug: Bun continued emitting source maps even when generation was disabled, and nothing stripped or excluded them before publish. Because npm releases are immutable and mirrored instantly, the source was cloned, dissected and re-hosted within hours, and a clean-room reimplementation reached tens of thousands of GitHub stars the same day. It is a textbook source-map disclosure: the sourcesContent field of a .map file carries the original code verbatim, so a single map left in a shipped artifact hands an attacker the entire codebase, comments and all. The same class hit Apple's App Store web front-end in November 2025, where production source maps left enabled let a researcher reconstruct and publish the full client source.
- CRITICALAI-COPILOT-CAMOLEAK-2025
Legit Security disclosed CamoLeak (CVSS 9.6), a critical vulnerability in GitHub Copilot Chat enabling silent exfiltration of private source code and secrets. The attack combined remote prompt injection via hidden pull-request comments with a CSP bypass that abused GitHub's own Camo image proxy: injected instructions made Copilot extract sensitive repo context, encode it character-by-character into a pre-generated dictionary of Camo image URLs, and leak it through image requests to an attacker server. GitHub mitigated it by disabling image rendering in Copilot Chat in August 2025.
- CRITICALAI-TEA-APP-BREACH-2025
The Tea women's-safety app left a Google Firebase Storage bucket publicly accessible with no authentication and directory listing enabled, exposing roughly 72,000 images including about 13,000 verification selfies and government IDs (driver's licenses, passports) and about 59,000 images from posts and messages; a separate exposed datastore leaked over 1 million private user messages. The stolen data was dumped on 4chan, fueling doxxing and harassment. Analysis showed hallmarks of rapidly built apps, including hardcoded API keys and client tokens in the source and an unsecured legacy storage system retained after a 2024 migration.