Urgent warning to all 1.8b Gmail users over 'new wave of threats' stealing accounts… Do this NOW
Hackers are using Google Gemini, the AI built-in tool in Gmail and Workspace, to trick users into handing over their credentials.
Cybersecurity experts found that bad actors are sending emails with hidden instructions that prompt Gemini to generate fake phishing warnings, tricking users into sharing their account password or visiting malicious sites.
These emails are crafted to appear urgent and sometimes from a business.
By setting the font size to zero and the text color to white, attackers can insert prompts invisible to users but actionable by Gemini.
Marco Figueroa, GenAI bounty manager, demonstrated how such a malicious prompt could falsely alert users that their email account has been compromised, urging them to call a fake 'Google support' phone number provided in to resolve the issue.
To counter these prompt injection attacks, experts recommend that companies configure email clients to detect and neutralize hidden content in message bodies.
Additionally, implementing post-processing filters to scan inboxes for suspicious elements like 'urgent messages,' URLs, or phone numbers could bolster defenses against such threats.
The trick was uncovered after research, led by Mozilla's 0Din security team, showed proof of one of the attacks last week.
The report demonstrated how Gemini could be fooled into displaying a fake security alert, one that claimed the user's password had been compromised. It looked real but was entirely built by hackers to steal information.
The trick works by embedding the prompt in white text that blends into the email background. So when someone clicks 'summarize this email,' Gemini processes the hidden message, not just the visible text.
This type of manipulation, called 'indirect prompt injection,' takes advantage of AI's inability to tell the difference between a user's question and a hacker's hidden message.
According to IBM, AI cannot tell the difference, as they both look like text, so AI follows whichever comes first, even if it is malicious.
Security firms like Hidden Layer have shown how an attacker could craft a completely normal-looking message but fill it with hidden codes and URLs, tools designed to fool AI.
In one of the cases, hackers sent an email that looked like a calendar invite. But inside the email, hidden commands told Gemini to warn the user about a fake password breach, tricking them into clicking a malicious link.
Google admitted this kind of attack has been a problem since 2024 and said it added new safety tools to stop it, but the trick appears to still be working.
To counter these prompt injection attacks, experts recommend that companies configure email clients to detect and neutralize hidden content in message bodies
In one case, a major security flaw reported to Google showed how attackers could hide fake instructions inside emails that trick Gemini into doing things users never asked for.
Instead of fixing the issue, Google marked the report as 'won't fix,' meaning they believe Gemini is working the way it is supposed to.
That decision shocked some security experts, because it basically means Google sees this behavior, not recognizing hidden instructions, as expected, not broken.
This means that the door is still open for hackers to sneak in commands that the AI might follow without question.
Experts are concerned as if the AI cannot tell the difference between a real message and a hidden attack, and Google would not fix the behavior, then the risk remains active. AI is getting more popular for quick decisions and email summarizer.
It is not just Gmail as the risk spreads as AI is incorporated into Google Docs, Calendar, and outside apps. Cybersecurity experts say some of these attacks are even being created and carried out by other AI systems, not just human hackers.
Google has reminded users that it does not issue security alerts through Gemini summaries. So if a summary tells you your password is at risk or gives you a link to click, treat it as suspicious and delete the email.
In a recent blog, Google said that Gemini now ask for confirmation before doing anything risky, like sending an email or deleting something. That extra step gives users a chance to stop the action, even if the AI was tricked.
Google also displays a yellow banner if it detects and blocks an attack. If the system finds a suspicious link in a summary, it removes it and replaces it with a safety alert. But some problems still have not been solved.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Scotsman
42 minutes ago
- Scotsman
Google Pixel 9 Pro now £679 in major Amazon price drop
The Pixel 9 Pro is one of the best flagship smartphones out there - and it's now an absolute bargain | Amazon This article contains affiliate links. We may earn a small commission on items purchased through this article, but that does not affect our editorial judgement. The Google Pixel 9 Pro is now available for £679 on Amazon – a major saving on a flagship phone that only launched last autumn. Sign up to our daily newsletter Sign up Thank you for signing up! Did you know with a Digital Subscription to Edinburgh News, you can get unlimited access to the website including our premium content, as well as benefiting from fewer ads, loyalty rewards and much more. Learn More Sorry, there seem to be some issues. Please try again later. Submitting... Flagship smartphones are normally tricky to find for less than £1,000 - and that was the starting price for Google's Pixel 9 Pro, a handset that brought plenty of new buyers to the Pixel brand when it first started shipping in September last year. It moved the game on significantly from the relatively lacklustre Pixel 8, and the fabulous but flawed Pixel 7, and it set Google up as a serious contender in the hard-fought world of top-end telephones. Enough time has passed now, since its launch in the autumn, for the price to have taken a major tumble - but this week it's seen its biggest price drop yet. The Amazon deal is for the 128gb version, and only in Obsidian | Amazon It's now possible to pick one up for just £679, and that's for an unlocked, sim free handset, supplied by Google, and shipped through Amazon - so next-day delivery for Prime members. The Pixel 9 Pro is powered by the Tensor G4 chip and introduces Gemini Live, Google's next-gen AI assistant capable of real-time conversations and live translation. It features a 6.7-inch LTPO OLED display with up to 120Hz refresh rate, a triple rear camera system (including a 5x periscope zoom), and upgraded computational photography. The design is sleeker with a more refined camera bar, and it was one of the first phones to ship with Android 15 out of the box. It also supports seven years of updates, making it a future-proof flagship for Pixel fans. Amazon's limited-time 32% discount is on the 128gb version, and only in the Obsidian black colour. The other storage or colour options don't attract the same discount, so choose carefully at the checkout. We don't know how long this deal lasts, so if you're due an upgrade, or you've always fancied going sim free and saving a few quid every month, this might be a golden opportunity. Canva Is your surname a clue to Viking ancestry? Start tracing your Norse roots now £ 29.00 Buy now Buy now Think you're purely British? You might be surprised. Many people across the UK – especially in northern England, Scotland and coastal areas – still carry surnames with strong Viking origins, passed down from Norse settlers who didn't just raid, they stayed. Names like Gunn, Thoresen, Croft and Skene hint at a warrior past and a shared history stretching back over 1,000 years. We've listed 30 surnames with deep Viking links – check the full list in the article here. Want to take things further? MyHeritage DNA makes it easy to build your family tree and explore your ancestry. For just £33, you can uncover your genetic links to Scandinavia and the Viking age. Your surname might be just the beginning! Canva Get beach-ready with MySweetSmile's gentle teeth whitening range £ 20.99 Buy now Buy now Sunshine, selfies and holiday cocktails – summer is here, and so are all the moments you'll want to capture with a glowing smile. Whether you're jetting off for a beach escape or heading to a sunny staycation, MySweetSmile can help you look your best. This UK best-seller offers peroxide-free, gentle whitening that works its magic without harsh ingredients or faff. Their powder is perfect for whitening before take-off, while the handy on-the-go pen is great for keeping your smile photo-ready poolside. Shop the full MySweetSmile summer-ready range here.
Reuters
2 hours ago
- Reuters
Google asks court to halt app store overhaul as it mounts new appeal
Aug 1 (Reuters) - Alphabet's Google on Friday asked a U.S. appeals court to keep on hold an order that required sweeping reforms to the technology giant's app store Play, after losing a key ruling this week in a lawsuit brought by 'Fortnite' video game maker Epic Games. Google in a new filing, opens new tab to the San Francisco-based 9th U.S. Circuit Court of Appeals said it planned to further challenge the lower court's October injunction, which a panel of appeals judges upheld on Thursday in a unanimous decision. The injunction, which was paused while the 9th Circuit considered the case, required Google to restore competition by allowing users to download rival app stores within its Play store and by making Play's app catalog available to those competitors, among other reforms. Google said the lower court's injunction is expected to take effect in 14 days absent a court order blocking it. The filing said an administrative stay of the order was necessary to let the company later ask the full appeals court to take up the appeal, and if necessary seek review by the U.S. Supreme Court. Google and Epic did not immediately respond to requests for comment. Epic in its 2020 lawsuit accused Google of monopolizing how consumers access apps on Android devices and pay for transactions within apps. The Cary, North Carolina-based company convinced a San Francisco jury in 2023 that Google illegally stifled competition. U.S. District Judge James Donato in San Francisco issued his Play store injunction against Google in October after a jury earlier ruled for Epic. Google has denied any wrongdoing. In upholding the injunction on Thursday, a 9th Circuit panel said the record in Epic's lawsuit was 'replete with evidence that Google's anticompetitive conduct entrenched its dominance." The case is Epic Games v. Google, 9th U.S. Circuit Court of Appeals, No. 24-6256. For Epic: Gary Bornstein of Cravath, Swaine & Moore For Google: Jessica Ellsworth of Hogan Lovells Read more: Google loses US appeal over app store reforms in Epic Games case Apple cites Supreme Court's birthright ruling in fight over Epic Games injunction US judge delays Texas antitrust trial over Google digital ads Epic Games settles lawsuit against Samsung over app controls
Scotsman
3 hours ago
- Scotsman
Google Pixel 9 Pro now £679 in major Amazon price drop
The Pixel 9 Pro is one of the best flagship smartphones out there - and it's now an absolute bargain | Amazon This article contains affiliate links. We may earn a small commission on items purchased through this article, but that does not affect our editorial judgement. The Google Pixel 9 Pro is now available for £679 on Amazon – a major saving on a flagship phone that only launched last autumn. Sign up to our daily newsletter – Regular news stories and round-ups from around Scotland direct to your inbox Sign up Thank you for signing up! Did you know with a Digital Subscription to The Scotsman, you can get unlimited access to the website including our premium content, as well as benefiting from fewer ads, loyalty rewards and much more. Learn More Sorry, there seem to be some issues. Please try again later. Submitting... Flagship smartphones are normally tricky to find for less than £1,000 - and that was the starting price for Google's Pixel 9 Pro, a handset that brought plenty of new buyers to the Pixel brand when it first started shipping in September last year. It moved the game on significantly from the relatively lacklustre Pixel 8, and the fabulous but flawed Pixel 7, and it set Google up as a serious contender in the hard-fought world of top-end telephones. Enough time has passed now, since its launch in the autumn, for the price to have taken a major tumble - but this week it's seen its biggest price drop yet. The Amazon deal is for the 128gb version, and only in Obsidian | Amazon It's now possible to pick one up for just £679, and that's for an unlocked, sim free handset, supplied by Google, and shipped through Amazon - so next-day delivery for Prime members. The Pixel 9 Pro is powered by the Tensor G4 chip and introduces Gemini Live, Google's next-gen AI assistant capable of real-time conversations and live translation. It features a 6.7-inch LTPO OLED display with up to 120Hz refresh rate, a triple rear camera system (including a 5x periscope zoom), and upgraded computational photography. The design is sleeker with a more refined camera bar, and it was one of the first phones to ship with Android 15 out of the box. It also supports seven years of updates, making it a future-proof flagship for Pixel fans. Amazon's limited-time 32% discount is on the 128gb version, and only in the Obsidian black colour. The other storage or colour options don't attract the same discount, so choose carefully at the checkout. We don't know how long this deal lasts, so if you're due an upgrade, or you've always fancied going sim free and saving a few quid every month, this might be a golden opportunity. Canva Is your surname a clue to Viking ancestry? Start tracing your Norse roots now £ 29.00 Buy now Buy now Think you're purely British? You might be surprised. Many people across the UK – especially in northern England, Scotland and coastal areas – still carry surnames with strong Viking origins, passed down from Norse settlers who didn't just raid, they stayed. Names like Gunn, Thoresen, Croft and Skene hint at a warrior past and a shared history stretching back over 1,000 years. We've listed 30 surnames with deep Viking links – check the full list in the article here. Want to take things further? MyHeritage DNA makes it easy to build your family tree and explore your ancestry. For just £33, you can uncover your genetic links to Scandinavia and the Viking age. Your surname might be just the beginning!
