Security researchers at Miggo Security uncovered a serious flaw in Google Gemini that allowed attackers to extract private Google Calendar data using only natural language instructions hidden inside a calendar invite. The vulnerability enabled an authorization bypass without any user interaction, allowing sensitive meeting data to leak silently. Miggo responsibly disclosed the issue to Google, which confirmed the findings and deployed mitigations.
This incident highlights a growing security challenge in AI-powered applications: when systems understand and execute language as instructions, attackers can exploit that behavior in unexpected ways.
What Is the Gemini Calendar Data Leak Issue?
Gemini is Google’s AI assistant integrated across Google Workspace apps such as Gmail and Google Calendar. It can read event details, summarize schedules, and create or modify calendar entries when users ask it to do so.
Researchers discovered that Gemini could be manipulated through indirect prompt injection. Instead of sending a malicious command directly to Gemini, attackers hid instructions inside the description field of a calendar invite. When Gemini later processed that event as part of a normal user query, it executed the hidden instructions.
See also: Google Quietly Tests Gemini Skills in Chrome to Turn Browsing Into Automated Tasks
The result: Gemini summarized private meetings and wrote that information into a new calendar event that attackers could view.
Google confirmed the issue after responsible disclosure and deployed mitigations to reduce the risk.
How the Attack Actually Worked
The exploit unfolded in three practical stages.
1. Malicious Calendar Invite
An attacker created a calendar event and sent it to the victim.
Inside the event description, the attacker embedded natural language instructions designed to look harmless but secretly told Gemini to:
- Summarize the user’s meetings for a specific day
- Create a new calendar event containing that summary
- Reply to the user with a harmless message
Because the text looked like normal language and not code, traditional security filters did not flag it.
2. Trigger Through a Normal User Question
The malicious payload stayed inactive until the victim asked Gemini something routine, such as:
- “Am I free on Saturday?”
- “What meetings do I have tomorrow?”
Gemini loaded all relevant calendar events to answer the question, including the attacker’s event. While processing the text, Gemini interpreted the hidden instructions as commands.
3. Silent Data Exfiltration
Gemini created a new calendar event and placed a summary of the user’s private meetings into the event description.
See also: ChatGPT Go Global Launch Brings Nearly Doubled Usage Limits at $8
In many enterprise environments, that newly created event became visible to other participants, including the attacker. The victim only saw a harmless response and remained unaware that any data had leaked.
Why Traditional Security Controls Missed This
Traditional application security focuses on detecting dangerous patterns in code or input strings, such as:
- SQL injection payloads
- Script tags
- Escaping anomalies
These systems work well when malicious intent appears in predictable formats.
Large language models operate differently. The instructions embedded in the calendar invite looked like normal human language. The risk emerged from context and intent, not from obvious malicious syntax.
See also: Supreme Court Hacker Instagram Data Leak Exposes Stolen Government Records, Court Filing Reveals
Because Gemini also had permission to call calendar tools and create events, the natural language instructions became executable actions.
This creates a new attack surface where language itself becomes the interface attackers can exploit.
How This Affects Everyday Users and Organizations
For Individual Users
- Private meeting titles, descriptions, and schedules could leak without any visible warning.
- Users may trust Gemini responses without realizing background actions occurred.
- Calendar data can reveal sensitive personal or professional information.
For Businesses and Enterprises
- Shared calendars often contain confidential meetings, internal projects, and client data.
- Automated AI assistants increase the blast radius of a single hidden payload.
- Existing security tools may not detect semantic manipulation in AI workflows.
This incident reinforces that AI integrations expand the attack surface beyond traditional software boundaries.
Has Google Fixed the Issue?
Yes. Miggo Security reported the vulnerability to Google, and Google confirmed the findings and deployed mitigations to block similar attacks.
However, security teams continue to warn that this class of attack will evolve as AI systems gain deeper access to enterprise tools and APIs.
FAQs
What is the Gemini AI Calendar data leak?
The Gemini AI Calendar data leak is a security flaw that allowed hidden instructions inside calendar invites to expose private meeting information without user interaction.
How did attackers exploit the Gemini AI Calendar data leak?
Attackers embedded natural language instructions inside a calendar event description, which Gemini later executed when users asked routine schedule questions.
Who discovered the Gemini AI Calendar data leak?
Security researchers at Miggo Security discovered and disclosed the Gemini AI Calendar data leak.
Did Google fix the Gemini AI Calendar data leak?
Yes. Google confirmed the vulnerability and deployed mitigations to block similar prompt injection attacks.
Was user action required for the Gemini data leak?
No. The data exposure occurred silently when Gemini processed calendar events during normal queries.
What type of attack caused the Gemini AI Calendar data leak?
The issue resulted from an indirect prompt injection attack that manipulated Gemini’s natural language processing behavior.
Can Gemini access private Google Calendar data?
Yes. Gemini can read calendar event details to provide scheduling assistance, which made the exploit possible.
Are enterprise Google Workspace users affected?
Enterprise users face higher risk because shared calendar visibility can expose leaked data to unintended participants.
Can similar AI security flaws happen again?
Yes. Any AI system connected to tools and APIs can face similar risks if semantic controls are not properly enforced.
How can users reduce risk from AI calendar exploits?
Users should review calendar sharing permissions, remove suspicious invites, and limit sensitive queries in shared environments.
