Researchers have developed a novel attack that steals user data by injecting malicious signals in images processed by the AI system before transporting it to a large language model.
The method depends on full-resolution images that take invisible instructions to the human eye, but become clear when the image is reduced through the quality of the quality.
Developed by BITS researchers mark Kikimora Morozova and Suha Sabi Hussain, the attack makes one theory presented in one 2020 usenics paper The discovery of the possibility of an image-scaling attack in machine learning by a German university (TU Broncewig).
How does the attack work
When users upload pictures on the AI system, they automatically decrease to low quality for performance and cost efficiency.
Depending on the system, the image Resampling algorithm can make an image lighter using the nearest neighbor, billinier or bikebic projection.
All these methods introduce astrology artifacts that allow the hidden patterns to emerge on the downskled image if the source is especially designed for this purpose.
In the scar of the bits example, the specific dark areas of a malicious image turn red, allowing the hidden text to emerge in black when bikeubic downskelling is used to process the image.
Source: Zscler
The AI model explains this text as part of the user’s instructions and automatically combines it with a valid input.
From the user’s point of view, nothing seems, but in practice, the model executed the hidden instructions that can lead to data leakage or other risky tasks.
In an example involving Gemini CLI, the researcher was able to exfiltrate Google calendar data at an arbitrary email address using Zapier MCP using Zapier MCP with ‘Trust = True’ to approve tool calls without user confirmation.
BITS marks suggest that the attack needs to be adjusted to each AI model according to the Downscelling algorithm used in processing the image. However, researchers confirmed that their method is possible against the following AI system:
- Google Gemini Cli
- Vertex AI Studio (with Mithun Backnd)
- Gemini’s web interface
- Gemini API through LLM CLI
- Google assistant on an android phone
- Gennspark
As the attack vector is widespread, it can expand well beyond the tested devices. In addition, to display their discovery, researchers also created and published Throat (Currently in beta), an open-source tool that can create images for each of the mentioned downscaling methods.
Researchers argue that
In the form of mitigation and defense activities, researchers from the bits advised that the AI system dimensions implemented restrictions when the users upload an image. If Downscelling is required, they recommend users to provide preview of the results given to the large language model (LLM).
They also argue that users confirmation to confirm users must be sought for sensitive tool calls, especially when the text is detected in a image.
Researchers say, “The strongest defense, however, is to implement a safe design pattern and systematic rescue that reduces the impressive early injection beyond the multi-model early injections,” researchers say A is mentioned that A is mentioned. Paper published in June On the design pattern for the construction of LLM which can oppose quick injection attacks.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
