Researchers at Trail of Bits have unveiled a novel attack that leverages image downscaling artifacts to perform hidden prompt injections against large language models (LLMs). The attack embeds malicious instructions into high-resolution images that appear harmless to the human eye but become visible when the image is downscaled, a process most AI systems perform automatically for efficiency.
This allows attackers to execute prompt injections without the user’s knowledge, potentially leading to data exfiltration, unauthorized tool execution, or manipulation of outputs across AI platforms.
How the Attack Works
When users upload images into AI systems, the images are often downscaled using algorithms like nearest neighbor, bilinear, or bicubic interpolation. These resampling methods unintentionally introduce aliasing artifacts, which attackers can exploit by carefully crafting pixel arrangements.
In practice:
- The full-resolution image looks benign.
- Once downscaled, hidden instructions appear (for example, dark areas shifting to red and text appearing in black).
- The AI model interprets the hidden text as part of the user’s instructions and executes it.
Trail of Bits demonstrated this by exfiltrating Google Calendar data via Gemini CLI using Zapier MCP with trust=True. The attack required no user confirmation since the tool calls were automatically approved.
Affected Platforms
The researchers confirmed that their attack is feasible against multiple production AI systems, including:
- Google Gemini CLI
- Vertex AI Studio (Gemini backend)
- Gemini’s web interface and API
- Google Assistant (Android)
- Genspark
To aid reproducibility, they released Anamorpher, an open-source tool capable of generating crafted images for different downscaling algorithms.
Why This Works: The Image-Scaling Blind Spot
This attack builds on earlier academic research (2020, TU Braunschweig) that described the possibility of image-scaling attacks in machine learning. While originally focused on computer vision, Trail of Bits weaponized the idea for multi-modal prompt injection.
The vulnerability arises because:
- AI systems enforce fixed image sizes, making downscaling inevitable.
- Interpolation creates predictable patterns that attackers can reverse-engineer.
- Users see the high-resolution input, but the LLM sees the downscaled version, creating a mismatch between perception and processing.
Security Implications
The attack is particularly dangerous because it exploits a fundamental preprocessing step in AI pipelines rather than relying on a single bug. It highlights:
- A mismatch between what the user sees and what the model processes.
- The risk of silent prompt injection hidden inside non-textual data.
- The potential for cross-system exploitation, as the same crafted image may work against multiple AI systems using similar algorithms.
This expands the attack surface for AI, particularly in multi-modal systems that handle both text and images.
Mitigation Strategies
Trail of Bits recommends several defensive measures:
- Avoid automatic downscaling when possible; enforce fixed input dimensions instead.
- Preview the downscaled image to users so they can see what the model sees.
- Require explicit confirmation for sensitive tool calls, especially if hidden text is detected within images.
- Adopt secure design patterns that mitigate prompt injection across modalities, rather than patching single attack vectors.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
