1.8 billion Gmail users at risk: Experts warn of hidden threat stealing passwords silently

Google has reportedly issued a warning to 1.8 billion Gmail users around the world about a new type of scam. This sophisticated online scam uses invisible email prompts to trick its own AI assistant, Gemini into stealing passwords. According to a report by The Sun, the warning is for a specific kind of threat which is designed to fool users and lead them to reveal their login credentials. This alert also highlights the persistent threat of sophisticated cyberattacks that mainly target personal accounts online.The report adds that cybercriminals are embedding hidden instructions in emails with the help of white text and zero font size. This text is invisible to the user but can be easily read by Gemini. Whenever a user clicks on ‘summarise this email’ option, Gemini may generate fake security alerts and prompt the user to share their sensitive information of make calls to fraudulent support numbers.

How the scam works

As per the report by The Sun, the hackers embed som indirect prompt injections into emails. The Google chatbot— Gemini, then read these hidden commands and display false warnings on the screen of the user. The users are then asked to click on malicious links or call some fake support lines. The AI cannot distinguish between user queries and embedded hacker prompts which leads to the user being scammed.

What Google and experts recommend

Cybersecurity experts are urging all Gmail users to remain vigilant and adopt robust security practices. The experts have urged the users to not trust Gemini summaries which claim that their account has been compromised. The experts also advise users to configure email clients to detect and neutralise hidden content. The users can also use post-processing filters which will help in scanning suspicious keywords, URL’s or phone numbers. Also, consider switching to passkeys for stronger, phishing-resistant authentication.

Mozilla’s 0Din security team first uncovered the exploit, showing how Gemini could be manipulated into displaying a fake alert that a user’s password had been stolen. Google has acknowledged the issue but has yet to fully patch the vulnerability.