Google has declined to fix a security vulnerability in its Gemini AI assistant that allows attackers to embed hidden instructions in emails and calendar invites. The flaw, known as ASCII smuggling, uses invisible characters that users cannot see but that artificial intelligence systems can read and process.
Security researcher Viktor Markopoulos from cybersecurity firm FireTail discovered the vulnerability and reported it to Google in September. The company dismissed the issue, stating it only constitutes social engineering rather than a technical security bug.
ASCII smuggling exploits special characters from the Tags Unicode block to create payloads invisible to human eyes. The Tags Unicode block contains control characters originally designed for technical purposes and not intended for visual display. These hidden instructions can manipulate AI behavior and alter the information Gemini provides to users.
The technique poses particular risks given Gemini's integration with Google Workspace. Attackers could embed hidden text in calendar invitations or emails that Gemini processes when summarizing content.
Markopoulos demonstrated several attack scenarios. In one test, he successfully hid instructions in a calendar invite title and overwrote organizer details. In another example, an invisible instruction tricked Gemini into recommending a potentially malicious website for purchasing discounted phones.
For users who connect AI tools to their inboxes, hidden commands in emails could instruct Gemini to search for sensitive information or extract contact details. According to FireTail, this transforms ordinary phishing attempts into an "autonomous data extraction tool".
FireTail tested six major AI systems against ASCII smuggling attacks. OpenAI's ChatGPT, Microsoft Copilot, and Anthropic's Claude successfully blocked the attacks through input sanitization. However, Gemini, DeepSeek, and Grok all proved vulnerable. (Source: androidauthority.com)
FireTail CEO Jeremy Snider recommended that organizations consider disabling Gemini's automatic access to Gmail and Google Calendars until the vulnerability is addressed. He emphasized that eliminating social engineering risks does improve user safety, directly contradicting Google's position.
Other technology companies have taken the threat more seriously. Amazon has published detailed security guidance addressing Unicode character smuggling. (Source: csoonline.com)