Google Alerts: Indirect Prompt Injection Abuse Targets Gemini Assistant

Unlike traditional prompt injection, where an attacker explicitly feeds malicious instructions to a model, indirect prompt injection works by hiding those instructions inside external content. This might be a webpage, an email, or even metadata in a document. When an AI like Gemini consumes the content, the embedded instructions are executed without the user realising.

The result is a subtle but powerful exploit vector. Attackers can coerce an assistant into revealing secrets, sending data to external servers, or ignoring security guardrails. Because the payload is camouflaged in seemingly harmless material, standard filtering and monitoring tools are often ineffective.

The technique represents a new class of AI supply-chain risk. Any workflow where an AI consumes untrusted data—such as browsing, summarising documents, or automating email responses—becomes a potential attack surface. For penetration testers, this is analogous to discovering hidden injection vectors in third-party dependencies.

Google has responded by tightening filters, publishing guidance, and stressing the importance of input separation and context isolation. However, as security researchers point out, this is not a bug that can be patched—it is a fundamental weakness in how language models follow instructions. Long-term mitigations may require architectural safeguards, such as verification layers, sandboxed execution, and human approval before models perform high-risk actions.

The warning serves as a reminder that attackers are not only targeting users of AI systems—they are also manipulating the content those systems consume. For defenders, this means expanding threat models to include adversarial content injection and preparing to counter attacks that exploit the trust AI places in external data sources.