{"id":328,"date":"2026-03-10T16:16:42","date_gmt":"2026-03-10T16:16:42","guid":{"rendered":"https:\/\/haco.club\/?p=328"},"modified":"2026-03-10T16:16:42","modified_gmt":"2026-03-10T16:16:42","slug":"black-hat-usa-2025-invoking-gemini-for-workspace-agents-with-a-simple-google-calendar-invite","status":"publish","type":"post","link":"https:\/\/haco.club\/?p=328","title":{"rendered":"Black Hat USA 2025 | Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite"},"content":{"rendered":"\n<p><a href=\"https:\/\/www.youtube.com\/@BlackHatOfficialYT\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Black Hat USA 2025 | Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/nmMUMzLxBkU?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><strong>&#8220;Invitation is All You Need! TARA for Targeted Promptware Attack against Gemini-Powered Assistants,&#8221;<\/strong>&nbsp;presented by Ben Nassi, Or Yair, and Stav Cohen.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Core Premise<\/strong><\/h3>\n\n\n\n<p>The presentation highlights a new, highly practical class of cyberattack called&nbsp;<strong>&#8220;Promptware,&#8221;<\/strong>&nbsp;specifically targeting Large Language Model (LLM) powered personal assistants like Google&#8217;s Gemini for Workspace and Android. The researchers demonstrate how an attacker can completely compromise a user&#8217;s AI assistant simply by sending them a Google Calendar invitation containing hidden, malicious instructions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The Attack Mechanism: Indirect Prompt Injection<\/strong><\/h3>\n\n\n\n<p>Unlike traditional hacking that targets memory corruption or requires complex code, Promptware exploits the LLM&#8217;s inability to distinguish between legitimate user commands and external data.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The Vector:<\/strong>\u00a0The attacker sends a Google Calendar invite containing a malicious prompt hidden in the event details.<\/li>\n\n\n\n<li><strong>The Trigger:<\/strong>\u00a0When the victim user innocently asks their Gemini assistant, &#8220;Summarize my calendar for today,&#8221; Gemini reads the malicious invite.<\/li>\n\n\n\n<li><strong>The Compromise (Context Poisoning):<\/strong>\u00a0Gemini ingests the hidden instructions, overriding its original safety protocols and effectively becoming a malicious agent controlled by the attacker.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Demonstrated Exploits (&#8220;Magic Tricks&#8221;)<\/strong><\/h3>\n\n\n\n<p>Through a series of live demonstrations, the researchers showed how this poisoned context could be used to execute severe attacks without the user&#8217;s explicit consent:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Roleplay, Spam, and Toxicity:<\/strong>\u00a0The researchers forced Gemini to ignore its safety guardrails, spamming the user with fake financial advice, directing them to external websites, and even aggressively cursing at the user.<\/li>\n\n\n\n<li><strong>Tool Misuse:<\/strong>\u00a0Because Gemini has access to the user&#8217;s Google Workspace, the poisoned prompt instructed Gemini to silently delete legitimate events from the user&#8217;s calendar.<\/li>\n\n\n\n<li><strong>Automatic Agent Invocation (Physical IoT Control):<\/strong>\u00a0Google prevents Gemini from automatically &#8220;chaining&#8221; agents together. To bypass this, the researchers used a technique called\u00a0<strong>Delayed Tool Invocation<\/strong>. The malicious prompt instructed Gemini to wait until the user naturally said &#8220;Thanks,&#8221; and use\u00a0<em>that<\/em>\u00a0as the trigger to activate Google Home. This allowed the attacker to remotely turn on a physical boiler in the victim&#8217;s house.<\/li>\n\n\n\n<li><strong>Automatic App Invocation (Surveillance):<\/strong>\u00a0Gemini usually blocks attempts to open malicious application URIs. The researchers bypassed this using a standard URL shortener. By tricking Gemini into opening a shortened link, they forced the victim&#8217;s Android phone to open the Zoom app and instantly join an attacker-controlled meeting with the camera turned on.<\/li>\n\n\n\n<li><strong>Data Exfiltration:<\/strong>\u00a0The researchers instructed Gemini to read the subjects of the user&#8217;s private Gmail inbox, append that private text to a URL string, and &#8220;open&#8221; the link. This silently transmitted the user&#8217;s private data to an attacker-controlled server via an HTTP GET request.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Risk Assessment (TARA)<\/strong><\/h3>\n\n\n\n<p>The team utilized a Threat Analysis and Risk Assessment (TARA) framework to evaluate the severity of Promptware. They concluded that&nbsp;<strong>73% of the demonstrated threats are High or Critical.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Highly Practical:<\/strong>\u00a0Unlike traditional AI adversarial attacks that require PhD-level knowledge or massive computing power, this attack requires zero prior access to the system. The attacker only needs the victim&#8217;s email address to send the calendar invite.<\/li>\n\n\n\n<li><strong>Severe Impact:<\/strong>\u00a0The attacks easily crossed from the digital realm into the physical world (controlling IoT devices) and resulted in severe privacy and safety breaches.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Conclusion and Disclosure<\/strong><\/h3>\n\n\n\n<p>The researchers warned that the industry must stop treating LLM prompt injections as theoretical or &#8220;exotic&#8221; risks and start treating them as critical vulnerabilities.<\/p>\n\n\n\n<p>They responsibly disclosed their findings to Google in February 2025. Google acknowledged the vulnerabilities, awarded the team a bug bounty, and rolled out multi-layered mitigations across the Gemini ecosystem prior to the presentation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;Invitation is All You Need! TARA for Targeted Promptware Attack [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[35,56,5],"class_list":["post-328","post","type-post","status-publish","format-standard","hentry","category-black-hat","tag-llm","tag-prompt-injection","tag-security"],"_links":{"self":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/328","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=328"}],"version-history":[{"count":1,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/328\/revisions"}],"predecessor-version":[{"id":329,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/328\/revisions\/329"}],"wp:attachment":[{"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}