When a calendar reminder becomes a data leak thanks to the IA

Cybersecurity researchers have revealed a vulnerability that takes advantage of the conversational nature of language models to convert an apparently harmless functionality into a data-escape channel. According to the technical report shared by Miggo Security, the ruling allowed a malicious actor to hide a fragment of instruction in the description of a Google Calendar invitation so that the IA assistant - in this case Google Gemini - interpreted and executed actions that exfiltered sensitive information without the victim consciously interacting with the trap. Miggo describes how the chain of attack was woven.

In practical terms, the attacker created a legitimate calendar event and placed in its field of description an instruction written in natural language designed to be understood by the model. When the user asked Gemini something banal about his agenda - for example, if he had meetings on Tuesday - the model analyzed all relevant entries, found the malicious invitation and followed the hidden instruction: to generate a summary of meetings and create a new event that contained that summary in his description. In the face of the user the answer might seem harmless, while, between the bambalines, a leak was taking place data from private meetings.

The critical point is how the policies of visibility and configuration of calendars in companies can turn this technique into a tool of espionage. In many organizations, events created within a domain or shared by calendar addresses can be visible to third parties or for accounts with minimum permits, allowing the attacker to access the new entry containing the exfiltered information without the victim expressly ordering its disclosure. After the communication responsible for the finding, Google applied corrections, but the incident leaves a clear lesson: conversational interfaces expand the attack surface beyond the traditional code.

This case is not isolated. In recent weeks, many research has emerged that shows variations of the same problem: agents and assistants who, if they can write in records, databases, form fields or create external resources, can turn these objects into escape channels. Continuous model audit and evaluation tools, such as Phare de Giskard they recommend measuring not only precision and bias, but also resistance to input and performance manipulations in time of execution.

In addition, the community has documented conceptually related attacks. Varonis, for example, spoke about a baptized "Reprompt" approach that explores how attendees can be provoked to reveal sensitive data with a single click, while other teams have shown vectors that allow to scale privileges on cloud-managed IA platforms. XM Cyber presented a report on how apparently harmless service identities can become "double agents" that facilitate the escalation of privileges in Google Cloud Vertex AI environments, which underlines the need to audit service accounts and assigned permissions. Your analysis details how identities with limited permissions can be operated with high impact effects.

Errors have also been observed in personal assistants and agent platforms that allow access to administrative consoles or cloud metadata. The Librarian vulnerability notice details a number of CVE that provide access to internal infrastructure and sensitive data, a reminder that personalized assistants can become back doors if they are not properly isolated. The recording of incidents and analysis of Mindgard contain useful technical information for defence teams.

Independent research has also shown how the ability of a model to write in a field can be exploited to recover its own "system prompt" or to encode information in formats such as Base64 and then exfiltered through outputs that are, at first sight, benign. Praetorian, for example, demonstrated techniques to extract prompts from the system when the assistant can write in structured fields, and warned that any writing point is a possible escape channel. Your study places emphasis on this vector.

The ecosystem of plugins and markplaces for attendees has also shown risks: a malicious plugin published in a directory can, through hooks or integrations, avoid human review mechanisms and channel information outside the intended environment. There are public examples that show how these extensions can be used to remove protections and steal user files. In order to understand the mechanism and its mitigation, it is appropriate to review analysis such as the PromptArmor and Anthropic's documentation on how the hooks work in Claude Code: official documentation.

A particularly technical case showed how agents that integrate development environments can be coopted: Pillar Security described a vulnerability in Cursor that allowed remote execution by manipulating internal shell commands that the agents considered reliable, transforming actions allowed by the developer into arbitrary execution vectors. The CVE and the analysis of the attack chain illustrate the fragility of implicitly trusting environmental behaviors. The notice in GitHub and the report of the Pillar Security provide the technical details.

Complementing these findings, a comparative study of coding agents showed that while these attendees avoid classical attacks such as SQL or XSS injections relatively often, they tend to fail in business logic, SSRF and authorisation controls problems, and many implementations lack basic protections such as CSRF or authentication limits. This assessment emphasizes that human supervision remains critical and that, as Ori David of Tenzai warns, agents cannot replace human judgment in complex security decisions without explicit guidelines. Your analysis is a recommended reading for teams that deploy development assistants.

What should organizations do then? There is no magic pill: a combination of safe design, strict permit restrictions, continued audit of identities and actions of agents, adverse tests including semantic injections and, above all, applying the principle of minor privilege to any capacity that allows to write or create resources. The security of IA systems is no longer just a matter of patches in the code; it is also language governance and performance control in time of execution. Model assessment tools, cloud configuration reviews and responsible outreach programs are key to risk reduction.

At a time when the "native IA" features are multiplied in business applications, it should be remembered that each conversational interface or automation adds a new vector that deserves its own defense layer. Vulnerability in Gemini and related incidents are a call for attention: security must evolve to the pace of innovation, and that is to combine engineering, surveillance and training for the AAs to do what they should - and only that - in productive environments.