In a surprising twist, researchers at Trail of Bits have uncovered a novel AI attack that embeds hidden prompts in images. These prompts remain concealed until the images are downscaled, at which point they become visible to AI systems. This vulnerability has already been exploited to exfiltrate sensitive data from platforms such as Google Calendar, posing a significant threat to data security across various AI systems.
What Datapoints Were Leaked?
When researchers at Trail of Bits tested this new style of AI image attack, the results were alarming. By embedding hidden prompts within images, attackers could pull out sensitive data that most users wouldn’t expect to be at risk. These prompts aren’t visible to the naked eye—they only reveal themselves when images are automatically resized or downscaled by AI tools. Here’s what was actually leaked:
Types of Data Exfiltrated
Calendar Details: In one high-profile example, attackers managed to extract private Google Calendar entries. This included event titles, invitees, and even notes that were never meant to leave your screen.
User Credentials and Tokens: In some cases, these attacks allowed for the retrieval of authentication tokens or access links, which could open the door to broader account compromise.
Personal Information: Depending on how and where images were processed, even names, emails, and other private identifiers could be swept up and sent to an attacker’s system.
How Sensitive Data Was Targeted
The attack zeroes in on the way many AI tools process images:
Automated Image Downscaling: Platforms often resize images before analyzing them. The hidden prompts were crafted so they would only show up during this resizing process, tricking the AI into “reading” commands not present in the original.
Integration with Everyday Tools: Because many automation platforms (like those connecting Google Calendar with AI chatbots) handle images automatically, attackers could slip hidden instructions into routine workflows.
Known Data Breach Instances
So far, the most concrete breach involved Google Calendar. The attack worked like this: a calendar screenshot, innocently shared, contained a prompt that became visible only after resizing. The AI then read the prompt and executed commands—like copying out calendar events and sending them elsewhere—without any user awareness.
The Scope
Widespread Impact Potential: Any AI system or platform that processes user-uploaded images and resizes them could be a target.
Stealthy Attacks: Because the exfiltration is triggered by routine automation, users are unlikely to notice until it’s too late.
Sensitive information isn’t just at risk from obvious phishing attempts anymore. The line between harmless image and dangerous data leak is thinner than ever.
Should You Be Worried?
When AI systems start processing images, the risks aren’t just theoretical—they’re real, and they’re growing. Recent findings by Trail of Bits have pulled back the curtain on how attackers can exploit the basic steps AI models use to process images. If you’re using platforms that connect tools like Gemini with automation services such as Zapier, it’s time to pay close attention.
How Attacks Work
The root of the problem lies in how AI interprets images. Attackers can embed hidden instructions, called “hidden prompts,” directly into image files. These aren’t visible to the naked eye, but they can manipulate the AI’s behavior when the image is processed.
Hidden Prompts: Attackers encode secret commands within an image. When AI models process these images, the hidden instructions get executed, influencing the AI’s output or actions.
Automated Workflow Risks: If you’ve set up automated workflows (say, using Zapier to move data between apps based on image analysis), a single compromised image can trigger unwanted actions across multiple connected services.
Widespread Impact: This isn’t just a problem for one or two platforms. The way AI models process images—extracting text, identifying objects, or generating captions—makes nearly all image-processing AIs susceptible to this form of attack.
Who Should Be Concerned?
Not everyone needs to panic, but some groups face higher stakes than others:
Businesses Using Automation: Companies automating tasks through image-to-text AI pipelines are at the greatest risk. A single tainted image can lead to data leaks, spam, or even unauthorized access.
Developers Integrating AI Tools: If you’re plugging third-party AI services into your workflow, especially without in-depth security checks, you’re in the crosshairs.
Anyone Handling Sensitive Data: If your images contain confidential or personal information, attackers can potentially use these vulnerabilities to extract or manipulate sensitive content.
Why It’s a Broad Problem
The steps exploited—like converting images to data, extracting text, or running image recognition—are universal across most AI and automation platforms. That means:
No Platform Is Immune: Whether it’s a big-name AI provider or a lesser-known tool, if it processes images, it’s potentially vulnerable.
Simple Image Uploads Become Risky: What used to be a routine upload can now serve as a backdoor for attackers.
A Note on Cloaked
Tools like Cloaked are starting to address this issue by offering privacy-focused AI processing. With features designed to protect sensitive data and filter out suspicious content before it enters your workflow, solutions like Cloaked can add a layer of defense for organizations relying on AI automation. It’s not a silver bullet, but it’s a step in the right direction for anyone serious about security.
Stay alert. If your work or business depends on AI-powered image handling, these risks can’t be ignored.
What Should Be Your Next Steps?
When it comes to defending against image-based AI attacks, waiting and hoping for the best isn’t a strategy—it’s a risk. Here’s a practical rundown to keep your systems and data safer:
1. Set Strict Image Dimension and Format Restrictions
Limit accepted image sizes and formats. Attackers often rely on oversized or non-standard image files to smuggle in hidden prompts or code.
Standardize image handling. Only allow a narrow list of file types (like JPEG, PNG) and explicitly reject anything else.
2. Preview and Verify All Images
Downscale images before processing. Hidden prompts can be embedded in large or oddly formatted images. Downscaling strips out much of the sneaky data that can trip up your AI.
Show a visual preview before any image is processed. If an image looks off or doesn’t match the expected context, flag it for manual review.
3. Require User Confirmation for Sensitive Actions
Add a confirmation step for high-impact tasks. If an action could trigger a payment, change permissions, or reveal confidential data, make sure a real person double-checks it.
Prompt users to review their choices. Even a quick “Are you sure?” can catch accidental or malicious AI-triggered actions.
4. Build Systematic Defenses Against Prompt Injection
Regularly audit your AI’s input and output logs. Look for strange patterns or inputs that could signal an attack.
Monitor for prompt injection attempts. Automated monitoring tools can help spot suspicious input before it becomes a problem.
Enforce a separation of user-generated content and system prompts. Never let user input directly modify critical prompts or instructions.
Bottom line: Don’t wait for an attack to find your weak spot. Make these steps part of your standard operating procedure, and keep your AI as trustworthy as you need it to be.
Cloaked FAQs Accordion
Frequently Asked Questions
First, change your passwords—especially if you've reused them across sites. Then enable two-factor authentication (2FA) on all key accounts. Review your account and credit activity regularly for any unusual behavior. If suspicious actions surface, consider freezing your credit and alerting your bank. To proactively reduce exposure in the future, tools like Cloaked can mask your personal information before breaches happen.
Cloaked provides you with disposable emails, phone numbers, and payment details, making it harder for bad actors to access your real identity. These tools help you safely sign up for services, communicate, and shop online without putting your core identity at risk.
Commonly targeted data includes full names, email addresses, phone numbers, birthdates, physical addresses, login credentials, and payment info. Tools like Cloaked help shield this information by providing secure, masked alternatives.
Always be skeptical. Malicious links are one of the most common ways hackers infect devices or steal data. Avoid clicking unless you can verify the source. Services like Cloaked can add layers of security so your real contact info isn’t exposed even if you make a mistake.
Using the same contact info across platforms makes it easy for attackers to build a full profile of you. If one platform gets breached, all your accounts can be at risk. That’s why Cloaked allows you to use different, secure contact methods for each service.
At Cloaked, we believe the best way to protect your personal information is to keep it private before it ever gets out. That’s why we help you remove your data from people-search sites that expose your home address, phone number, SSN, and other personal details. And to keep your info private going forward, Cloaked lets you create unique, secure emails and phone numbers with one click - so you sign up for new experiences without giving away your real info. With Cloaked, your privacy isn’t a setting - it’s the default. Take back control of your personal data with thousands of Cloaked users.
*Disclaimer: You agree not to use any aspect of the Cloaked Services for FCRA purposes.
