AI systems vulnerable to data-theft prompts in downscaled images
Summary
Hide β²
Show βΌ
Researchers have demonstrated a new attack method that steals user data by embedding malicious prompts in images. These prompts are invisible in full-resolution images but become visible when the images are downscaled by AI systems. The attack exploits aliasing artifacts introduced by resampling algorithms, allowing hidden text to emerge and be interpreted as user instructions by the AI model. This can lead to data leakage or unauthorized actions. The method has been successfully tested against several AI systems, including Google Gemini CLI, Vertex AI Studio, Gemini's web interface, Gemini's API, Google Assistant on Android, and Genspark. The attack was developed by Kikimora Morozova and Suha Sabi Hussain from Trail of Bits, building on a 2020 theory presented in a USENIX paper. The researchers have also released an open-source tool, Anamorpher, to create images for testing the attack. They recommend implementing dimension restrictions and user confirmation for sensitive tool calls as mitigation strategies.
Timeline
-
26.08.2025 00:34 π° 2 articles Β· β± 21d ago
New AI attack method exploits downscaled images to steal user data
The attack involves embedding a hidden malicious prompt in a high-resolution image that becomes visible when the image is downscaled by preprocessing algorithms. The AI model may interpret the visible malicious prompt in the downscaled image as a legitimate instruction, leading to potential data exfiltration or unauthorized actions. The attack has been demonstrated against the Gemini command-line interface (CLI), Geminiβs web and API interfaces, Vertex AI Studio, Google Assistant, and Genspark. The victim does not always see the rescaled image before it is processed by the AI model, making the attack less likely to be discovered.
Show sources
- New AI attack hides data-theft prompts in downscaled images β www.bleepingcomputer.com β 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
Information Snippets
-
The attack exploits aliasing artifacts introduced by image resampling algorithms, such as nearest neighbor, bilinear, or bicubic interpolation.
First reported: 26.08.2025 00:34π° 2 sources, 2 articlesShow sources
- New AI attack hides data-theft prompts in downscaled images β www.bleepingcomputer.com β 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
-
The hidden prompts become visible when the image is downscaled, allowing the AI model to interpret them as user instructions.
First reported: 26.08.2025 00:34π° 2 sources, 2 articlesShow sources
- New AI attack hides data-theft prompts in downscaled images β www.bleepingcomputer.com β 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
-
The attack has been successfully tested against Google Gemini CLI, Vertex AI Studio, Gemini's web interface, Gemini's API, Google Assistant on Android, and Genspark.
First reported: 26.08.2025 00:34π° 2 sources, 2 articlesShow sources
- New AI attack hides data-theft prompts in downscaled images β www.bleepingcomputer.com β 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
-
The researchers have released an open-source tool, Anamorpher, to create images for testing the attack.
First reported: 26.08.2025 00:34π° 2 sources, 2 articlesShow sources
- New AI attack hides data-theft prompts in downscaled images β www.bleepingcomputer.com β 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
-
Mitigation strategies include implementing dimension restrictions for image uploads and seeking user confirmation for sensitive tool calls.
First reported: 26.08.2025 00:34π° 1 source, 1 articleShow sources
- New AI attack hides data-theft prompts in downscaled images β www.bleepingcomputer.com β 26.08.2025 00:34
-
The attack involves embedding a hidden malicious prompt in a high-resolution image that becomes visible when the image is downscaled by preprocessing algorithms.
First reported: 26.08.2025 13:19π° 1 source, 1 articleShow sources
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
-
The AI model may interpret the visible malicious prompt in the downscaled image as a legitimate instruction, leading to potential data exfiltration or unauthorized actions.
First reported: 26.08.2025 13:19π° 1 source, 1 articleShow sources
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
-
The attack has been demonstrated against the Gemini command-line interface (CLI), Geminiβs web and API interfaces, Vertex AI Studio, Google Assistant, and Genspark.
First reported: 26.08.2025 13:19π° 1 source, 1 articleShow sources
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
-
The victim does not always see the rescaled image before it is processed by the AI model, making the attack less likely to be discovered.
First reported: 26.08.2025 13:19π° 1 source, 1 articleShow sources
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
-
The researchers have released an open-source tool named Anamorpher to craft and visualize image scaling attacks against AI systems.
First reported: 26.08.2025 13:19π° 1 source, 1 articleShow sources
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack β www.securityweek.com β 26.08.2025 13:19
Similar Happenings
SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids
A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).
FileFix Attack Using Steganography to Deploy StealC Infostealer
A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Fourth Spyware Campaign Targeting French Apple Users in 2025
Apple has notified French users of a fourth spyware campaign in 2025. The Computer Emergency Response Team of France (CERT-FR) confirmed the alerts on September 3, 2025. The campaign targets individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. The alerts are part of a series of notifications sent throughout the year, with previous alerts on March 5, April 29, and June 25. These alerts indicate that at least one device linked to the users' iCloud accounts may have been compromised in highly-targeted attacks. The campaign follows a previous incident involving a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300), which were used in zero-click attacks. Apple has been sending these notifications since November 2021. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities.
Active exploitation of CVE-2025-5086 in DELMIA Apriso
CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.