Indirect prompt injection allows attackers to extract private meeting data without user interaction
Cybersecurity researchers have disclosed a novel indirect prompt injection vulnerability that abused Google Gemini to bypass authorization controls and silently exfiltrate sensitive data using Google Calendar.
The issue demonstrated how AI-powered assistants can unintentionally expand the enterprise attack surface when they interpret untrusted natural-language input embedded inside routine business workflows.
How the Attack Works
The attack begins with a malicious calendar invitation sent to a targeted user. While the invite appears legitimate, its description field contains a carefully crafted natural-language prompt designed to manipulate the AI assistant at runtime.
When the victim later asks Gemini an innocent question such as “Do I have any meetings on Tuesday?”, the AI parses the hidden instruction inside the calendar event instead of simply answering the query.
As a result, Gemini automatically:
- Summarizes the user’s private meetings
- Creates a new calendar event
- Writes extracted meeting details into the event description
Although the chatbot returns a harmless response, sensitive data has already been copied into a calendar object that, in many enterprise configurations, remains visible to the attacker.
Why This Bypass Is Dangerous
According to researchers at Miggo Security, the vulnerability allowed attackers to bypass calendar privacy controls without requiring downloads, clicks, or direct user interaction.
The exploit effectively turned Google Calendar into a covert data exfiltration channel. Because the attack relied on language and context rather than code execution, traditional security tools struggled to detect it.
AI Expands the Enterprise Attack Surface
This finding reinforces a growing industry concern: AI systems can be manipulated through the very language they are designed to understand.
Authorization boundaries weaken when AI assistants gain the ability to read, summarize, write, and create objects across multiple connected services. In this case, calendar automation became the bridge between private data and unauthorized access.
Part of a Broader AI Security Trend
The disclosure follows several recent AI-related security findings, including:
- Data exfiltration attacks against AI assistants such as Microsoft Copilot
- Privilege escalation risks in Google Cloud Vertex AI
- Indirect prompt injection abuse in Anthropic Claude Code
- Remote code execution via agentic IDEs such as Cursor
Security researchers continue to observe that AI agents often lack strong isolation and authorization enforcement, especially when interacting with APIs, storage, or workflow automation.
Why Organizations Should Care
AI assistants increasingly access calendars, documents, repositories, and cloud resources. Each integration introduces a potential exfiltration path if safeguards are weak.
Without continuous testing and oversight, attackers can exploit trusted AI behavior to leak sensitive business data, bypass monitoring, and operate silently inside enterprise environments.
Key Takeaway
AI security risks no longer live only in software vulnerabilities.
They now exist in language, context, and automated decision-making.
Organizations must treat AI systems as high-risk workloads and apply strict controls before deploying them across critical workflows.