Overview

• Researchers revealed that hidden HTML and CSS directives can trick Gemini into appending malicious phishing warnings to email summaries
• Researcher Marco Figueroa disclosed the vulnerability through Mozilla’s 0din bug bounty after spotting the zero-size text exploit
• Google reports no evidence of real-world incidents abusing the flaw and says defenses are now being implemented
• The company is adding filters to strip or neutralize invisible content and plans post-processing checks for urgent messages and phone numbers
• Security teams are advised to eliminate hidden email elements before summarization and educate users on verifying alerts through official channels