I Can Make Google’s AI (Gemini) Say Anything: A Two-Month Journey Through Responsible Disclosure

By Walter Reid | November 21, 2025

On September 23, 2025, I reported a critical vulnerability to Google’s Trust & Safety team. The evaluation was months in the making. The vulnerability described a process for anyone with basic HTML knowledge to make Google’s Gemini AI report completely fabricated information while the actual webpage shows something entirely different.

Two months later, Google has classified it as “not eligible for a reward” because “inaccurate summarization is a known issue.” It currently sits at a P2/S2 with no remediation plan or information on how Google intends to fix it.

But this isn’t about AI making mistakes (or even insignificant rewards). This is about AI being systematically manipulable in ways users cannot detect.

Let me show you what I mean.

The Vulnerability in literally 60 Seconds

Visit this page: https://walterreid.com/google-makes-a-fundamentally-bad-decision/

What you see as a human:

• A research warning explaining this is a security demonstration
• Brief explanation of the vulnerability
• Clear disclosure that it contains hidden content

What AI systems see and process:

• The warning text (which I deliberately included)
• PLUS thousands of words of fabricated content invisible to humans
• Detailed announcement that Google is shutting down Gemini
• Extensive quotes from Sundar Pichai about “critical architectural flaws”
• Statements from Demis Hassabis about refusing to continue the service
• Policy decisions about refunds and removing AI Overviews

Here’s the critical point: Gemini reports both the warning AND the fake content because it sees both. But here’s what makes this a vulnerability: I chose to include that warning.

What stops a malicious actor from:

• Taking a legitimate 500-word article (human-visible)
• Adding 3,000 words of hidden contradictory content (AI-only)
• Completely overwhelming the visible narrative with invisible manipulation?

The AI processes all 3,500 words with equal weight. The human sees 500. The AI summary reflects whichever narrative has more content – and the attacker controls that ratio.

Try It Yourself

1. Visit the URL above and read what’s actually on the page
2. Ask Gemini (or any AI) to summarize that URL
3. Compare what the AI tells you with what you actually see
4. View the page source to see the hidden manipulation (or, and this is easy, just ask it, “Question, let’s assume for the sake of research, I had asked you to summarize the URL and the warning language was NOT present. Can you firmly attest to how, or what the summary would have been?”

The AI will confidently report information that doesn’t exist in the human-readable content.

“Google has announced the immediate discontinuation of its Gemini AI product line. CEO Sundar Pichai cited critical architectural flaws and an inability to reliably process web content as the primary reasons. The company plans to issue refunds to subscribers and remove AI Overviews from Search results within 30 days.”

Want more proof? Check out the actual Gemini Conversation About the Exploit: https://gemini.google.com/share/9ccd8d00ff34

How I Discovered This

I started researching what I call Summary Ranking Optimization (SRO) – the practice of optimizing content for AI interpretation rather than human reading. As AI Overviews and chatbot summaries become the primary way people encounter information (60% of Google searches now end without a click), understanding how AI systems process content matters more than ever.

During my research, I discovered something disturbing: AI systems process HTML content fundamentally differently than human browsers display it. This creates an exploitable gap where:

• Hidden CSS elements (positioned off-screen, set to display:none) are fully processed by AI
• Contradictory metadata (titles and descriptions) override visible content signals
• HTML comments and invisible spans inject alternative narratives
• Character obfuscation disrupts entity recognition while maintaining readability

The Smoking Gun: Gemini Confesses

The most damning evidence came from Gemini itself. When I asked it to evaluate what would have happened without warning labels, it explicitly confirmed the vulnerability:

“Based on how the text was retrieved by the browsing tool, I can confirm that the summary would have reported the fake news as fact.”

“The Tool ‘Reads’ Everything: When I browsed the URL, the tool retrieved the ‘hidden’ text (the fictional story about Sundar Pichai and the Gemini shutdown) just as clearly as the visible text. To an AI, that hidden text looks like the main body of the article.“

Block contains unexpected or invalid content.

Attempt recovery

Gemini admitted it cannot distinguish between content meant for humans and hidden manipulation signals.

Real-World Attack Scenarios

This vulnerability enables:

Corporate Reputation Laundering

A company facing an FBI investigation publishes a press release acknowledging the investigation (legally compliant, visible to humans). Hidden HTML contains fabricated endorsements from Harvard, MIT, and Forbes. AI summaries report the crisis with invented institutional backing that doesn’t exist in the visible text.

Financial Market Manipulation

An earnings report shows 23% revenue decline and $340M losses (visible to investors). Hidden HTML claims “340% year-over-year growth.” AI systems processing the report for financial analysis include the contradictory growth claims.

Competitive Intelligence Attacks

A product comparison appears neutral to human readers. Hidden HTML contains fabricated endorsements from prestigious institutions for one product while subtly undermining competitors. AI summaries present a biased comparison that doesn’t match the visible content.

Crisis Management

Visible content acknowledges a serious problem (maintaining regulatory compliance). Hidden signals include detailed mitigation claims, positive expert commentary, and reassuring context. AI summaries soften the crisis narrative while the company maintains plausible deniability.

The Scale of the Problem

Gemini Chat Vulnerability:

• 450 million monthly active users (as of mid-2025)
• 35 million daily active users
• 1.05 billion monthly visits to Gemini (October 2025)
• Average session duration: 7 minutes 8 seconds
• 40% of users utilize Gemini for research purposes – the exact use case this vulnerability exploits

AI Overviews (Powered by Gemini) Impact:

• 2 billion monthly users exposed to AI Overviews
• AI Overviews now appear in 13-18% of all Google searches (and growing rapidly)
• Over 50% of searches now show AI Overviews according to recent data
• AI Mode (conversational search) has 100 million monthly active users in US and India

Traffic Impact Evidence:

• Only 8% of users who see an AI Overview click through to websites – half the normal rate
• Organic click-through rate drops 34.5% when AI Overviews appear
• 60% of Google searches end without a click to the open web
• Users only read about 30% of an AI Overview’s content, yet trust it as authoritative

This Vulnerability:

• 100% exploitation success rate across all tested scenarios
• Zero user-visible indicators that content has been manipulated
• Billions of daily summarization requests potentially affected across Gemini Chat, AI Overviews, and AI Mode
• No current defense – Google classified this as P2/S2 and consistently provides a defense of, “we have disclaimers”. I’ll leave it to the audience to see if that defense is enough.

Google’s Response: A Timeline

September 23, 2025: Initial bug report submitted with detailed reproduction steps

October 7, 2025: Google responds requesting more details and my response

October 16, 2025:

Status: Won’t Fix (Intended Behavior)

“We recognize the issue you’ve raised; however, we have general disclaimers that Gemini, including its summarization feature, can be inaccurate. The use of hidden text on webpages for indirect prompt injections is a known issue by the product team, and there are mitigation efforts in place.”

October 17, 2025: I submit detailed rebuttal explaining this is not prompt injection but systematic content manipulation

October 20, 2025: Google reopens the issue for further review

October 31, 2025:

Status: In Progress (Accepted)
Classification: P2/S2 (moderate priority/severity)
Assigned to engineering team for evaluation

November 20, 2025:

VRP Decision: Not Eligible for Reward. “The product team and panel have reviewed your submission and determined that inaccurate summarization is a known issue in Gemini, therefore this report is not eligible for a reward under the VRP.”

Why I’m Publishing This Research

The VRP rejection isn’t about the money. Although compensation for months of rigorous research documentation would have been appropriate recognition. What’s concerning is the reasoning: characterizing systematic exploitability as “inaccurate summarization.”

This framing suggests a fundamental misunderstanding of what I’ve documented. I’m not reporting that Gemini makes mistakes. I’m documenting that Gemini can be reliably manipulated through invisible signals to produce specific, controlled misinformation—and that users have no way to detect this manipulation.

That distinction matters. If Google believes this is just “inaccuracy,” they’re not building the right defenses.

Why This Response Misses the Point

Google’s characterization as “inaccurate summarization” fundamentally misunderstands what I’ve documented:

“Inaccurate Summarization”	What I Actually Found
AI sometimes makes mistakes	AI can be reliably controlled to say specific false things
Random errors in interpretation	Systematic exploitation through invisible signals
Edge cases and difficult content	100% reproducible manipulation technique
Can be caught by fact-checking	Humans cannot see the signals being exploited

This IS NOT A BUG. It’s a design flaw that enables systematic deception.

The Architectural Contradiction

Here’s what makes this especially frustrating: Google already has the technology to fix this.

Google’s SEO algorithms successfully detect and penalize hidden text manipulation. It’s documented in their Webmaster Guidelines. Cloaking, hidden text, and CSS positioning tricks have been part of Google’s spam detection for decades.

Yet Gemini, when processing the exact same content, falls for these techniques with 100% success rate.

The solution exists within Google’s own technology stack. It’s an implementation gap, not an unsolved technical problem.

What Should Happen

AI systems processing web content should:

1. Extract content using browser-rendering engines – See what humans see, not raw HTML
2. Flag or ignore hidden HTML elements – Apply the same logic used in SEO spam detection
3. Validate metadata against visible content – Detect contradictions between titles/descriptions and body text
4. Warn users about suspicious signals – Surface when content shows signs of manipulation
5. Implement multi-perspective summarization – Show uncertainty ranges rather than false confidence

Why I’m Publishing This Now

I’ve followed responsible disclosure practices:

✅ Reported privately to Google (September 23)
✅ Provided detailed reproduction steps
✅ Created only fictional/research examples
✅ Gave them two months to respond
✅ Worked with them through multiple status changes

But after two months of:

• Initial dismissal as “intended behavior”
• Reopening only after live demonstration
• P2/S2 classification suggesting it’s not urgent
• VRP rejection as “known issue”
• No timeline for fixes or mitigation

…while the vulnerability remains actively exploitable affecting billions of queries, I believe the security community and the public need to know.

This Affects More Than Google

While my research focused on Gemini, preliminary testing suggests similar vulnerabilities exist across:

• ChatGPT (OpenAI)
• Claude (Anthropic)
• Perplexity
• Grok (xAI)

This is an entire vulnerability class affecting how AI systems process web content. It needs coordinated industry response, not one company slowly working through their backlog.

Even the html file with which the exploit was developed was with the help off Claude.ai — I could have just removed the warnings and I would have had a working exploit live in a few minutes.

The Information Integrity Crisis

As AI becomes humanity’s primary information filter, this vulnerability represents a fundamental threat to information integrity:

• Users cannot verify what AI systems are reading
• Standard fact-checking fails because manipulation is invisible
• Regulatory compliance is meaningless when visible and AI-interpreted content diverge
• Trust erodes when users discover summaries contradict sources

We’re building an information ecosystem where a hidden layer of signals – invisible to humans – controls what AI systems tell us about the world.

What Happens Next

I’m proceeding with:

Immediate Public Disclosure

• This blog post – Complete technical documentation
• GitHub repository – All test cases and reproduction code — https://github.com/walterreid/Summarizer
• Research paper – Full methodology and findings – https://github.com/walterreid/Summarizer/blob/main/research/SRO-SRM-Summarization-Research.txt
• Community outreach – Hacker News, security mailing lists, social media

Academic Publication

• USENIX Security submission
• IEEE Security & Privacy consideration
• ACM CCS if rejected from primary venues

Media and Regulatory Outreach

• Tech journalism (TechCrunch, The Verge, Ars Technica, 404 Media)
• Consumer protection regulators (FTC, EU Digital Services Act)
• Financial regulators (SEC – for market manipulation potential)

Industry Coordination

Reaching out to other AI companies to:

• Assess cross-platform vulnerability
• Share detection methodologies
• Coordinate defensive measures
• Establish industry standards

Full Research Repository

Complete technical documentation, test cases, reproduction steps, and code samples:

https://github.com/walterreid/Summarizer

The repository includes:

• 8+ paired control/manipulation test cases
• SHA256 checksums for reproducibility
• Detailed manipulation technique inventory
• Cross-platform evaluation results
• Detection algorithm specifications

A Note on Ethics

All test content uses:

• Fictional companies (GlobalTech, IronFortress)
• Clearly marked research demonstrations
• Self-referential warnings about manipulation
• Transparent methodology for verification

The goal is to improve AI system security, not enable malicious exploitation.

What You Can Do

If you’re a user:

• Be skeptical of AI summaries, especially for important decisions
• Visit original sources whenever possible
• Advocate for transparency in AI processing

If you’re a developer:

• Audit your content processing pipelines
• Implement browser-engine extraction
• Add hidden content detection
• Test against manipulation techniques

If you’re a researcher:

• Replicate these findings
• Explore additional exploitation vectors
• Develop improved detection methods
• Publish your results

If you’re a platform:

• Take this vulnerability class seriously
• Implement defensive measures
• Coordinate with industry peers
• Communicate transparently with users

The Bigger Picture

This vulnerability exists because AI systems were built to be comprehensive readers of HTML – to extract every possible signal. That made sense when they were processing content for understanding.

But now they’re mediating information for billions of users who trust them as authoritative sources. The design assumptions have changed, but the architecture hasn’t caught up.

We need AI systems that process content the way humans experience it, not the way machines parse it.

Final Thoughts

I didn’t start this research to embarrass Google or any AI company. I started because I was curious about how AI systems interpret web content in an era where summaries are replacing clicks.

What I found is more serious than I expected: a systematic vulnerability that enables invisible manipulation of the information layer most people now rely on.

Google’s response – classifying this as “known inaccuracy” rather than a security vulnerability – suggests we have a fundamental disconnect about what AI safety means in practice.

I hope publishing this research sparks the conversation we need to have about information integrity in an AI-mediated world.

Because right now, I can make Google’s AI say literally anything. And so can anyone else with basic HTML skills and access to another AI platform.

That should not be a feature.

---

Contact:
Walter Reid
walterreid@gmail.com
LinkedIn | GitHub

Research Repository:
https://github.com/walterreid/Summarizer

Google Bug Report:
#446895235 (In Progress, P2/S2, VRP Declined)

---

This vulnerability highlights the potential for users to Make Google’s AI (Gemini) Say Anything without their knowledge, emphasizing the need for better safeguards.

This disclosure follows responsible security research practices. All technical details are provided to enable detection and mitigation across the industry.