‘What is this chatbot vulnerable to?’ ‘Yes.’
Text version: https://pivot-to-ai.com/2025/08/22/prompt-inject-an-ai-chatbot-with-an-image/

Patreon: https://www.patreon.com/davidgerard
Ko-Fi: https://ko-fi.com/A1529D5
Buy me nice things: https://www.amazon.co.uk/hz/wishlist/ls/3Q8VZW46J6DM6
Get an extremely cool Pivot to AI shirt or mug: https://pivot-to-ai.redbubble.com

Sources:

Weaponizing image scaling against production AI systems https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/
Multimodal neurons in artificial neural networks https://openai.com/index/multimodal-neurons/
Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks in Machine Learning https://www.usenix.org/conference/usenixsecurity20/presentation/quiring
“In Unicode, flag emojis are represented by the emoji” https://x.com/goodside/status/1745511944465870901
“Gemini still gets tripped by it.” https://mastodon.social/@eliocamp/115069737789365526

USENIX Security ’20 — Adversarial Preprocessing: Understanding and Preventing Image-Scaling Attacks https://www.youtube.com/watch?v=6xEda18WIUU&list=UU9rJrMVgcXTfa8xuMnbhAEA
Microsoft Copilot: From Prompt Injection to Exfiltration of Sensitive Data | Exploit Chain Explained https://www.youtube.com/watch?v=A-ibygtWeYc&list=UU9rJrMVgcXTfa8xuMnbhAEA

Full Pivot to AI playlist: https://www.youtube.com/playlist?list=UU9rJrMVgcXTfa8xuMnbhAEA