Google has issued a critical warning to over 1.8 billion Gmail users worldwide about a sophisticated cyberattack that uses artificial intelligence to steal passwords without detection. The new threat targets Gmail’s AI assistant, Google Gemini, through a technique called indirect prompt injection. Cybercriminals are sending emails embedded with invisible text—set in zero font size and white color—making it unreadable to the human eye but fully visible to the AI system.
When a user clicks the “summarize this email” feature powered by Gemini, the AI reads not only the visible content but also the hidden prompts. These hidden instructions can trigger fake alerts that falsely warn users their Gmail account has been compromised. Believing these alerts are real, victims may follow instructions to click malicious links or call fraudulent support numbers, ultimately leading to password theft or data breaches.
This method was discovered by the 0Din security team at Mozilla, which demonstrated how Gemini could be manipulated to create highly convincing, AI-generated phishing messages. In one example, the hidden text instructed Gemini to warn the recipient that their Gmail password had been leaked and urged them to contact a fake Google support number. Because Gemini cannot yet differentiate between safe content and maliciously injected prompts—especially when the hidden command appears first in the message—the threat is difficult to detect.
The flaw lies in the way AI tools process input. While a user may only see the normal content, Gemini interprets all embedded instructions and responds accordingly. The attack becomes even more concerning because Gemini is integrated across multiple services, including Gmail, Docs, Calendar, and some third-party apps, increasing the potential reach of such exploits.
Cybersecurity experts are urging users to be vigilant. Since Gemini does not currently filter out hidden or harmful prompts, users are advised to avoid relying on AI-generated summaries for security alerts. Google has also confirmed it does not send security messages through Gemini, and users should treat any such notifications with suspicion. For now, users are advised to refrain from clicking unknown links, ignore suspicious summaries, and disable summarization tools for sensitive emails until a fix is rolled out.