- Google won’t fix Gemini’s ASCII smuggling flaw, calling it a user-side social engineering issue
- Attackers hide malicious prompts in invisible email text that Gemini reads during summarization
- Gemini’s integration with Workspace apps makes it vulnerable to hidden prompt-triggered phishing attacks
A recently-detected “ASCII smuggling attack” will not be getting a fix in Google’s Gemini artificial intelligence tool, the company has said – saying it is not a security issue but rather a social engineering tactic and as such, the responsibility falls on the end user.
This is according to Viktor Markopoulos, a security researcher at FireTail, who demonstrated the risks these attacks pose to Gemini users but was apparently dismissed by the company.
ASCII smuggling is a type of attack in which crooks trick victims into prompting their AI tool a malicious command that puts their computers and data at risk. The trick works by “smuggling”, or hiding, the prompt in plain sight by, for example, having the AI read text invisible to the human behind the screen.
Smuggling prompts
In the early years of AI, this wasn’t much of an issue, because the user needed to bring up the AI tool and type (or copy/paste) the prompt themselves. However, a lot has changed since then and many AI tools are now being integrated with other apps and platforms.
Gemini, for example, is now integrated with Google Workplace, being able to pull data from Sheets, generate text in Docs, and read and summarize emails.
This last point is crucial here. As Markopoulos demonstrated, a threat actor could send a phishing email that, on the surface, looks completely legitimate.
However, it also comes with a malicious prompt written in font 0, in white, on a white background, so that the reader doesn’t even see it. But when the victim asks Gemini to summarize the email, the tool reads the prompt too, and responds to it.
That prompt could be to display a message saying “your computer is compromised, call Google to mitigate the threat immediately,” or a similar message, standard to phishing tricks.
Even more ominously, the prompt could force different AI agents to exfiltrate sensitive data from the inbox. All it takes is a simple, benign command from the user, to summarize or read the contents of the email.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
