Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Google Calendar. Show all posts
Vulnerabilities and Exploits
Data Leak Gemini Flaw Google Calendar User Privacy Vulnerabilities and Exploits

Gemini Flaw Exposed Via Malicious Google Calendar Invites, Researchers Find

 

Google recently fixed a critical vulnerability in its Gemini AI assistant, which is tightly integrated with Android, Google Workspace, Gmail, Calendar, and Google Home. The flaw allowed attackers to exploit Gemini via creatively crafted Google Calendar invites, using indirect prompt injection techniques hidden in event titles. 

Once the malicious invite was sent, any user interaction with Gemini—such as asking for their daily calendar or emails—could trigger unintended actions, including the extraction of sensitive data, the control of smart home devices, tracking of user locations, launching of applications, or even joining Zoom video calls. 

The vulnerability exploited Gemini’s wide-reaching permissions and its context window. The attack did not require acceptance of the calendar invite, as Gemini’s natural behavior is to pull all event details when queried. The hostile prompt, embedded in the event title, would be processed by Gemini as part of the conversation, bypassing its prompt filtering and other security mechanisms. 

The researchers behind the attack, SafeBreach, demonstrated that just acting like a normal Gemini user could unknowingly expose confidential information or give attackers command over connected devices. In particular, attackers could stealthily place the malicious prompt in the sixth invite out of several, as Google Calendar only displays the five most recent events unless manually expanded, further complicating detection by users. 

The case raises deep concerns about the inherent risks of AI assistants linked to rich context sources like email and calendars, where hostile prompts can easily evade standard model protections and inject instructions not visible to the user. This type of attack, called an indirect prompt injection, was previously flagged by Mozilla’s Marco Figueroa in other Gemini-related exploits. Such vulnerabilities pave the way for both data leaks and convincing phishing attacks. 

Google responded proactively, patching the flaw before public exploitation, crediting the research team for responsible disclosure and collaboration. The incident has accelerated Google’s deployment of advanced defenses, including improved adversarial awareness and mitigations against hijack attempts. 

Security experts stress that continued red-teaming, industry cooperation, and rethinking automation boundaries are now imperative as AI becomes more enmeshed in smart devices and agents with broad powers. Gemini’s incident stands as a wake-up call for the real-world risks of prompt injection and automation in next-generation AI assistants, emphasizing the need for robust, ongoing security measures.
Read more »
Vulnerabilities and Exploits
Google Google Calendar Vulnerabilities and Exploits

Google Calendar vulnerability affects 1 billion users


Google has finally acknowledged vulnerability in the Google Calendar app that left more than a billion users open to a credential-stealing exploit.

In 2017, two cybersecurity researchers at Black Hills Information Security had informed and demonstrated how they exploited the vulnerability in gaining access to the users credentials.

The vulnerability has put 1.5 billion users at risk.

A Google spokesperson responded to the researcher’s findings that "Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse."

Google is informing all its users about ”security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters."

The Vulnerability inside Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate with calendaring functionality.

When a user get an invitation on the calendar, a pop-up notification appears on their smartphone. Hackers could create a messages that include a malicious link, and these links can direct users to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.

"Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks," Javvad Malik, a security awareness advocate at KnowBe4.
Read more »
Phishing Attack
cyber attack Google Google Calendar phishing Phishing and Spam Phishing Attack

Beware of new phishing scam that’s attacking Google Calendar

No matter which corner of the internet you visit, you'll find scammers trying to take advantage of you. You may already know to be skeptical of emails, Facebook posts, and dating profiles that seem too good to be true. And some times they even try to take control of our data - primarily the financial data - using the alleged calls from customer care executives. Quite frankly, no one is immune to receiving such unsolicited messages or emails. But thanks to their popularity, everyone knows the drill to safeguard themselves. Just don't click on suspicious emails or links and don't reveal your financial information to anyone and you are good to go. You know this. I know this and even scammers know this. And so now, reports are that there's a new type of security threat that targets your Google Calendar.

Scammers are using Google Calendar and other calendar apps to target innocent users in a new type of phishing scam, according to a global security firm.

Findings from the threat intelligence firm Kaspersky show there's been a recent wave of scam artists using hyperlink-embedded events to gain access to people's sensitive information. They start by spamming Google Calendar users with seemingly benign calendar invites. Anyone can accept the invitations, but the real targets are users with the default setting that automatically adds every event they're invited to to their Google Calendar. Once it's been added, Google sends notifications related to the event, making it seem more trustworthy.

The scam is thought to have happened throughout May this year.

The fake invitations contained a malicious website link that encouraged users to input their personal details, often in the form of a simple questionnaire that promised the chance to win money or other prizes if completed.

Kaspersky researchers say that users can safeguard themselves by turning off the automatic adding of invites to your Google Calendar app.
Read more »
Subscribe to: Posts (Atom)