Writeup of a bug I found with Google Gemini for Gmail that allows for calendar entries to be created within victim calendars and also allows for Gemini to leak it’s system prompt by following instructions embedded in email body triggered when tools like summarization are called to operate on email threads.
Slides and some background of my talk at Vulncon Bangalore (June 2026) on how I convinced Amazon Q to perform an authorization check on itself, its tools and the results of that exploration. Interesting findings overall around IAM boundaries and tool/capability privileges.