Researchers Show How AI Image Downscaling Can be an Attack Vector
It’s easy to hide secret information inside a picture – secret agents and hackers have done it for millennia. Now security researchers have discovered a method to hide malicious instructions in a digital image that appear only when the files are automatically resized by AI models.
See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]
The new class of attacks uses image scaling vulnerabilities to conduct prompt injections against AI systems, extracting user data from production platforms such as Google’s Gemini CLI, said Trail of Bits. The technique exploits the common practice of downscaling large images before processing, creating opportunities for attackers to embed instructions that are invisible at full resolution but show up when the image is compressed.
The attack works by manipulating specific pixels in high-resolution images, so that when AI systems automatically scale them down, hidden text that contains malicious prompts emerge. Researchers targeted Google Gemini CLI, Vertex AI Studio, Gemini’s web and API interfaces, Google Assistant and Genspark.
The team demonstrated the attack’s potency by configuring the Gemini CLI with default settings that automatically approved tool calls without user confirmation. When a user uploaded what appeared to be a benign image, the scaling process revealed hidden instructions that triggered data exfiltration from Google Calendar to an attacker’s email address, all without user awareness or consent.
The vulnerability stems from how downscaling algorithms convert multiple high-resolution pixel values into single low-resolution pixel values. The researchers identified three major downscaling algorithms as vulnerable: nearest neighbor interpolation, bilinear interpolation and bicubic interpolation. Each algorithm requires different exploitation techniques and implementations vary across libraries including Pillow, PyTorch, OpenCV and TensorFlow.
Researchers developed Anamorpher, an open-source tool that generates crafted images for specific algorithms and implementations. Attackers modify specific pixels within dark regions of decoy images, making subtle brightness adjustments that are invisible at full resolution. When the downscaling algorithm processes these manipulated pixels, they shift dark backgrounds to specific colors like red while leaving other areas unchanged, creating enough contrast to reveal hidden text and instructions.
Researchers said that the vulnerability likely affects other systems they didn’t test.
Mobile and edge devices face particular risk because they more frequently enforce fixed image sizes and rely on downscaling algorithms. The constrained computing environments of these devices often require aggressive image compression, potentially amplifying the effectiveness of scaling-based attacks.
The discovery builds on previous research into image scaling attacks, which were used primarily for model backdoors, evasion and poisoning against older computer vision systems. Newer AI approaches have fewer size constraints, but the systems surrounding the models still impose limitations that need image scaling.
To identify vulnerable systems, the researchers developed a custom fingerprinting methodology using test images with checkerboard patterns, concentric circles, vertical and horizontal bands, and slanted edges. These test patterns show artifacts such as ringing, blurring, edge handling, aliasing and color inconsistencies that indicate the underlying downscaling algorithm and implementation.
The attack exploits principles from the Nyquist-Shannon sampling theorem, which governs how frequently data must be sampled to accurately reconstruct original signals. When sampling rates fall below critical thresholds, aliasing effects occur that can be manipulated to create entirely different patterns than those present in the original image.
The researchers said that switching between downscaling algorithms offers insufficient protection because image scaling attacks are not limited to the three major interpolation methods they targeted. They recommend against using image downscaling altogether, instead suggesting that systems simply limit upload dimensions to avoid the need for scaling.
For systems that must perform image transformations, the researchers advise providing end users with previews of exactly what the AI model processes, including in command-line and API tools where such previews are typically absent. This transparency would allow users to detect potential manipulations before submitting images to AI systems.
The broader implications extend beyond image manipulation to fundamental security design for AI systems. The researchers argue that the strongest defense involves implementing secure design patterns that prevent any input, particularly text within images, from initiating sensitive operations without explicit user confirmation.
The discovery represents the latest in a series of prompt injection attacks targeting agentic coding tools, including previous demonstrations against Claude Code and OpenAI Codex. These earlier attacks achieved data exfiltration and remote code execution through various vectors, showing persistent security gaps in AI systems that interact with external tools and services.
