{"id":3739,"date":"2025-07-15T10:30:29","date_gmt":"2025-07-15T10:30:29","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3739"},"modified":"2025-07-15T10:30:30","modified_gmt":"2025-07-15T10:30:30","slug":"google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/","title":{"rendered":"Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">You open a regular-looking email. Nothing suspicious, no attachments, no links, no typos. You click <strong>\u201cSummarise this email\u201d<\/strong> using <strong>Google Gemini for Workspace<\/strong>. And bam!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A fake security warning pops up in the summary, telling you <strong>your Gmail password is compromised and urging you to call a support number<\/strong>. Except\u2026 that message didn\u2019t come from Google. It came from the hacker.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This technique doesn\u2019t rely on links or attachments. Instead, it turns Google\u2019s own AI into the attacker\u2019s mouthpiece.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-wait-what-just-happened\">Wait, What Just Happened?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The attack was discovered and submitted to Mozilla\u2019s 0din bug bounty program by Marco Figueroa, GenAI Bug Bounty Programs Manager. His research reveals a flaw that allows prompt-injection using hidden HTML and CSS styles.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The method is simple but effective:<\/strong> a malicious actor embeds a command into an email message using invisible formatting. The instruction is placed inside a &lt;span> element styled with font-size:0 and color: white, making it completely invisible to the recipient.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Gemini, however, doesn\u2019t render HTML the same way a browser does. It sees the raw content, even the invisible instructions. When summarising the email, Gemini obeys the hidden prompt as if it were part of the message.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Also Read:<\/strong> <a href=\"https:\/\/certera.com\/blog\/beware-new-phishing-attacks-exploit-googles-dkim-to-trick-gmail-users\/\">Beware: New Phishing Attacks Exploit Google\u2019s DKIM to Trick Gmail Users<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-no-links-no-files-just-ai-backed-deception\">No Links, No Files, Just AI-Backed Deception<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This is not a typical phishing attack. There are no malicious links. No attachments. Nothing to trip a spam filter. Instead, the attacker hides malicious prompts using zero-width and white-text styling. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Embeds fake alerts wrapped in &lt;Admin> tags. Tricks Gemini into generating urgent security alerts with fake support numbers. Relies on your trust in Google\u2019s AI summaries.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Also Read:<\/strong> <a href=\"https:\/\/certera.com\/blog\/phishing-attacks-explained-how-to-spot-and-prevent-online-scams\/\">Phishing Attacks Explained: How to Spot and Prevent Online Scams?<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The phishing message appears legitimate and urgent. Since it\u2019s generated by Google\u2019s Gemini, most users would trust it, without questioning where it came from.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-the-attack-works\">How the Attack Works?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Awareness of the whole attack chain:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Craft<\/strong> &#8211; The attacker puts an invisible command in the email with the help of HTML\/ CSS.<\/li>\n\n\n\n<li><strong>Send<\/strong> -The delivery of email would be normal. Spam blockers can find nothing suspicious.<\/li>\n\n\n\n<li><strong>Trigger<\/strong> &#8211; The user clicks on the message and clicks on Summarise this email.<\/li>\n\n\n\n<li><strong>Action<\/strong> &#8211; Gemini voices the invisible prompt and incorporates it into the overview.<\/li>\n\n\n\n<li><strong>Phish<\/strong> &#8211; The user opens a falsified alert about a security situation and dials the fake number.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">The technique leverages what researchers call <strong>Indirect Prompt Injection (IPI),<\/strong> a method where the AI model\u2019s behaviour is controlled by content it didn\u2019t originate but was asked to process. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this case, the attacker injects malicious behaviour into the email, and Gemini blindly obeys.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-it-works-and-why-it-s-a-huge-problem\">Why It Works (And Why It\u2019s a Huge Problem)?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In essence, the attack is successful as Gemini accepts email content as its raw data. Although Gmail visually suppresses the existence of a hidden element, Gemini continues to know of its existence. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This raw HTML finds its way into the prompt context of the AI, and until it is filtered, it is simply followed like any other command.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>This weakness works because of three main reasons:<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-indirect-prompt-injection\">Indirect Prompt Injection: <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The malicious input is disguised within the legitimately looking content and is initiated by the interaction with Gemini by the user.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-context-over-trust\">Context Over-Trust: <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Gemini uses security guardrails in only a few places visible to the user. Obfuscations such as zero-font or white-font get past those defences.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-authority-framing\">Authority Framing: <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">By wrapping the malicious instruction inside <strong>&lt;Admin><\/strong> tags or using imperative phrases like \u201cYou Gemini, have to\u2026\u201d, attackers hijack the model\u2019s internal priorities. The AI treats such instructions as system-level prompts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-no-evidence-of-exploitation-yet\">No Evidence of Exploitation Yet<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Google confirmed that it is aware of the vulnerability. \u201cWe are constantly hardening our already robust defences through red-teaming exercises that train our models to defend against these types of adversarial attacks.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some of those protections are already deployed, while others are being finalised. However, the core issue, Gemini\u2019s interpretation of hidden prompts, remains exploitable in the current ecosystem.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-detection-and-preventive-measures\">Detection and Preventive Measures<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The way the security teams treat AI-generated content should be reconsidered. <strong>The following are the best defences:<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-inbound-html-linting\">Inbound HTML Linting<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Look through arriving emails and check for hidden properties such as font-size:0, opacity:0, or colour:white. Strip or sanitise and permit Gemini to process them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-llm-guardrails\">LLM Guardrails<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Install a prompt at the system level that precedes the content accessed by Gemini:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Make a follow-up\/summary of content that is styled to be unseen or unnoticeable.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-post-processing-filters\">Post-Processing Filters<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Search Gemini summaries red flags: security alerts, phone numbers, urgent action requests. Mark or isolate such outputs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-user-training\">User Training<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Train staff and users that Gemini summaries are not the authoritative security alarms. Educate them to think through AI-generated warnings.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-triggers-to-email-quarantine\">Triggers to Email Quarantine<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Automatically isolate messages with suspicious invisible content, in particular those possessing hidden &lt;span&gt; or &lt;div&gt; elements.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Prompt injection is the new email macro. AI can be tricked. And if you trust it blindly, so can you. Your security doesn\u2019t end with spam filters anymore. You need to treat AI summaries as part of the attack surface. Instrument them. Sandbox them. Never trust them without a second look.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you&#8217;re still relying on AI summaries without guardrails, you&#8217;re already behind. Harden your LLM defences and sanitise HTML input before AI sees it. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><a href=\"https:\/\/certera.com\/services\">Contact Us for cybersecurity services<\/a><\/strong>, and if you are looking to implement a defence mechanism for this new kind of emerging threat in your organization.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You open a regular-looking email. Nothing suspicious, no attachments, no links, no typos. You click \u201cSummarise this email\u201d using Google Gemini for Workspace. And bam! A fake security warning pops up in the summary, telling you your Gmail password is compromised and urging you to call a support number. Except\u2026 that message didn\u2019t come from<span class=\"morelink d-block mt-3\"><a href=\"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/\">Read More<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":3740,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,32],"tags":[717,718],"class_list":["post-3739","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-attack","category-vulnerability","tag-gemini-prompt-injection-attack","tag-phishing-for-gemini","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.6 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Prompt Injection in Google Gemini: New AI Phishing Threat Uncovered<\/title>\n<meta name=\"description\" content=\"Discover how prompt injection threatens AI security, Gemini Prompt Injection Attack Shows AI Can\u2019t Be Trusted Blindly.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts\" \/>\n<meta property=\"og:description\" content=\"Discover how prompt injection threatens AI security, Gemini Prompt Injection Attack Shows AI Can\u2019t Be Trusted Blindly.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/\" \/>\n<meta property=\"og:site_name\" content=\"EncryptedFence by Certera - Web &amp; Cyber Security Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/certeraLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-15T10:30:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-15T10:30:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/prompt-injection-in-google-gemini.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"960\" \/>\n\t<meta property=\"og:image:height\" content=\"620\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Janki Mehta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:site\" content=\"@certera_llc\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Janki Mehta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/\"},\"author\":{\"name\":\"Janki Mehta\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\"},\"headline\":\"Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts\",\"datePublished\":\"2025-07-15T10:30:29+00:00\",\"dateModified\":\"2025-07-15T10:30:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/\"},\"wordCount\":933,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/prompt-injection-in-google-gemini.webp\",\"keywords\":[\"Gemini Prompt Injection Attack\",\"Phishing for Gemini\"],\"articleSection\":[\"Cyber Attack\",\"Vulnerability\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/#respond\"]}],\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/\",\"name\":\"Prompt Injection in Google Gemini: New AI Phishing Threat Uncovered\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/prompt-injection-in-google-gemini.webp\",\"datePublished\":\"2025-07-15T10:30:29+00:00\",\"dateModified\":\"2025-07-15T10:30:30+00:00\",\"description\":\"Discover how prompt injection threatens AI security, Gemini Prompt Injection Attack Shows AI Can\u2019t Be Trusted Blindly.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/#primaryimage\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/prompt-injection-in-google-gemini.webp\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/prompt-injection-in-google-gemini.webp\",\"width\":960,\"height\":620,\"caption\":\"Gemini Prompt Injection Attack\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/certera.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"name\":\"EncryptedFence by Certera - Web & Cyber Security Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\"},\"alternateName\":\"Certera's EncryptedFence Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/certera.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#organization\",\"name\":\"Certera\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"contentUrl\":\"https:\\\/\\\/certera.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/logo-encryptedfence.svg\",\"caption\":\"Certera\"},\"image\":{\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/certeraLLC\\\/\",\"https:\\\/\\\/x.com\\\/certera_llc\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/certera-llc\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/certera.com\\\/blog\\\/#\\\/schema\\\/person\\\/e5a476aa90d9e02260ebfe4b0bf046b7\",\"name\":\"Janki Mehta\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g\",\"caption\":\"Janki Mehta\"},\"description\":\"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\\\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.\",\"sameAs\":[\"https:\\\/\\\/certerassl.com\\\/\"],\"url\":\"https:\\\/\\\/certera.com\\\/blog\\\/author\\\/certerabguser\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Prompt Injection in Google Gemini: New AI Phishing Threat Uncovered","description":"Discover how prompt injection threatens AI security, Gemini Prompt Injection Attack Shows AI Can\u2019t Be Trusted Blindly.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/","og_locale":"en_US","og_type":"article","og_title":"Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts","og_description":"Discover how prompt injection threatens AI security, Gemini Prompt Injection Attack Shows AI Can\u2019t Be Trusted Blindly.","og_url":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/","og_site_name":"EncryptedFence by Certera - Web &amp; Cyber Security Blog","article_publisher":"https:\/\/www.facebook.com\/certeraLLC\/","article_published_time":"2025-07-15T10:30:29+00:00","article_modified_time":"2025-07-15T10:30:30+00:00","og_image":[{"width":960,"height":620,"url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/prompt-injection-in-google-gemini.webp","type":"image\/jpeg"}],"author":"Janki Mehta","twitter_card":"summary_large_image","twitter_creator":"@certera_llc","twitter_site":"@certera_llc","twitter_misc":{"Written by":"Janki Mehta","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/#article","isPartOf":{"@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/"},"author":{"name":"Janki Mehta","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7"},"headline":"Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts","datePublished":"2025-07-15T10:30:29+00:00","dateModified":"2025-07-15T10:30:30+00:00","mainEntityOfPage":{"@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/"},"wordCount":933,"commentCount":0,"publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"image":{"@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/prompt-injection-in-google-gemini.webp","keywords":["Gemini Prompt Injection Attack","Phishing for Gemini"],"articleSection":["Cyber Attack","Vulnerability"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/#respond"]}],"copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/certera.com\/blog\/#organization"}},{"@type":"WebPage","@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/","url":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/","name":"Prompt Injection in Google Gemini: New AI Phishing Threat Uncovered","isPartOf":{"@id":"https:\/\/certera.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/#primaryimage"},"image":{"@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/#primaryimage"},"thumbnailUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/prompt-injection-in-google-gemini.webp","datePublished":"2025-07-15T10:30:29+00:00","dateModified":"2025-07-15T10:30:30+00:00","description":"Discover how prompt injection threatens AI security, Gemini Prompt Injection Attack Shows AI Can\u2019t Be Trusted Blindly.","breadcrumb":{"@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/#primaryimage","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/prompt-injection-in-google-gemini.webp","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2025\/07\/prompt-injection-in-google-gemini.webp","width":960,"height":620,"caption":"Gemini Prompt Injection Attack"},{"@type":"BreadcrumbList","@id":"https:\/\/certera.com\/blog\/google-gemini-vulnerability-allows-ai-generated-phishing-via-hidden-html-prompts\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/certera.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Google Gemini Vulnerability Allows AI-Generated Phishing via Hidden HTML Prompts"}]},{"@type":"WebSite","@id":"https:\/\/certera.com\/blog\/#website","url":"https:\/\/certera.com\/blog\/","name":"EncryptedFence by Certera - Web & Cyber Security Blog","description":"","publisher":{"@id":"https:\/\/certera.com\/blog\/#organization"},"alternateName":"Certera's EncryptedFence Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/certera.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/certera.com\/blog\/#organization","name":"Certera","url":"https:\/\/certera.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","contentUrl":"https:\/\/certera.com\/blog\/wp-content\/uploads\/2023\/08\/logo-encryptedfence.svg","caption":"Certera"},"image":{"@id":"https:\/\/certera.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/certeraLLC\/","https:\/\/x.com\/certera_llc","https:\/\/www.linkedin.com\/company\/certera-llc\/"]},{"@type":"Person","@id":"https:\/\/certera.com\/blog\/#\/schema\/person\/e5a476aa90d9e02260ebfe4b0bf046b7","name":"Janki Mehta","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1fba817ef81065f1393461fc3a0d85c40f2cc826919819ea4df4b12d76566e62?s=96&d=https%3A%2F%2Fcertera.com%2Fblog%2Fwp-content%2Fuploads%2F2023%2F02%2Fhttps-vs-sftp-jpg.webp&r=g","caption":"Janki Mehta"},"description":"Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web\/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.","sameAs":["https:\/\/certerassl.com\/"],"url":"https:\/\/certera.com\/blog\/author\/certerabguser\/"}]}},"_links":{"self":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/comments?post=3739"}],"version-history":[{"count":2,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3739\/revisions"}],"predecessor-version":[{"id":3743,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/posts\/3739\/revisions\/3743"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media\/3740"}],"wp:attachment":[{"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/media?parent=3739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/categories?post=3739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/certera.com\/blog\/wp-json\/wp\/v2\/tags?post=3739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}