Hackers can hide AI prompt injection attacks in resized images

2025-08-26 10:42:00
www.pcworld.com

“AI” tools are all the rage at the moment, even among users who aren’t all that savvy when it comes to conventional software or security—and that’s opening up all sorts of new opportunities for hackers and others who want to take advantage of them. A new research team has discovered a way to hide prompt injection attacks in uploaded images.

A prompt injection attack is a way to hide instructions for an LLM or other “artificial intelligence” system, usually somewhere a human operator can’t see them. It’s the whispered “loser-says-what” of computer security. A great example is hiding a phishing attempt in an email in plain text that’s colored the same as the background, knowing that Gemini will summarize the text even though the human recipient can’t read it.

A two-person Trail of Bits research team discovered that they can also hide these instructions in images, making the text invisible to the human eye but revealed and transcribed by an AI tool when an image is compressed for upload. Compression—and the artifacts that come along with it—are nothing new. But combined with the sudden interest in hiding plain text messages, it creates a new way to get instructions to an LLM without the user knowing those instructions have been sent.

In the example highlighted by Trail of Bits and BleepingComputer, an image is delivered to a user, the user uploads the image to Gemini (or uses something like Android’s built-in circle-to-search tool), and the hidden text in the image becomes visible as Google’s backend compresses it before it’s “read” to save on bandwidth and processing power. After being compressed, the prompt text is successfully injected, telling Gemini to email the user’s personal calendar information to a third party.

That’s a lot of legwork to get a relatively small amount of personal data, and both the complete attack method and the image itself need to be tailored to the specific “AI” system that’s being exploited. There’s no evidence that this particular method was known to hackers before now or is being actively exploited at the time of writing. But it illustrates how a relatively innocuous action—like asking an LLM “what is this thing?” with a screenshot—could be turned into an attack vector.

Source Link

An Amazon’s Choice and the #1 Top Seller, the Euphro Digital Picture Frame has delighted millions of customers. With 1,473 ratings, an impressive 4.7 out of 5 stars, and over 6,000 units sold in the past month, this frame is a must-have for your home or as the perfect gift. Available now for just $79.99.

Connect Euphro digital picture frame to a WiFi network and share photos and videos via the free “Uhale” app. Share the special life moments instantly and privately, creating a seamless connection with your family and friends. The sleek design fits any home decor and comes with crystal-clear image quality to highlight every cherished moment.

Join the millions of happy customers who call Euphro “a game-changer for photo sharing.” Order yours now for $79.99 on Amazon!

Unlock unlimited streaming with a free Amazon Prime trial!
Sign up today!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!

BITCOIN

Bitcoin Logo