Trap images: They use photos with invisible messages that trick AI platforms into giving away your data.

A group of security experts has discovered a new form of attack that uses images to trick AI into stealing users' personal data . These images look completely normal, but they actually hide invisible messages that only machines can read.

That is, a series of graphic manipulation techniques are produced that can fool artificial intelligence systems and make them reveal information without the victim noticing .

Attack revealed through instructions hidden in images

According to a report by researchers at The Trail of Bits , the mechanism relies on hiding invisible instructions within an image . When a person uploads a photo to AI systems like Gemini CLI, Vertex AI Studio, or the Gemini API, Google Assistant, and Genspark, among others, the system processes the image and ultimately executes those hidden instructions.

This mechanism works through image scaling, an automatic process in which hidden messages appear and artificial intelligence interprets them as commands . This technology can end up sharing private information without the user's knowledge. Researchers conducted several tests and demonstrated that it was possible to extract data from widely used apps.

In one of them, they managed to access a user's Google Calendar , extract their data, and send it to an email without the user's confirmation. They also warn that this is not an isolated case , as there are other very similar attacks that exploit weaknesses in programming tools and manage to execute code remotely in different environments.

The report notes that these attacks can be carried out using three common algorithms used to reduce image size : nearest neighbor interpolation, bilinear interpolation, and bilocal interpolation. Additionally, to insert hidden messages, they used a tool called Anamorpher, which allows them to be hidden in the most obscure areas of the image , rendering them invisible to the human eye, but not to a machine.

How to prevent this attack

To prevent this, the researchers recommend avoiding automatic image downscaling and instead directly limiting the dimensions when uploading. They also suggest previewing what the model actually interprets , even when using it on the command line or through an API.

Of course, the safest solution, as they explain, is to design systematic defenses against these types of hidden instructions and require the user to ask for confirmation before executing sensitive actions.