Saved in:
Bibliographic Details
Main Authors: Sun, Desen, Hon, Jason, Wang, Howe, Rajan, Saarth, Xu, Meng, Liu, Sihang
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.10600
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910209303117824
author Sun, Desen
Hon, Jason
Wang, Howe
Rajan, Saarth
Xu, Meng
Liu, Sihang
author_facet Sun, Desen
Hon, Jason
Wang, Howe
Rajan, Saarth
Xu, Meng
Liu, Sihang
contents With the rapid advancement of generative AI, users increasingly rely on image-generation models for image design and creation. To achieve faithful outputs, users typically engage in multi-turn interactions during image refinement: a text-to-image generation phase followed by a text-guided image-to-image editing phase. In this paper, we investigate a novel security vulnerability associated with such a workflow. Our key insight is that a nearly invisible hint, like branding information (e.g., a logo), embedded in an input image can be recognized by downstream generative models and subsequently re-rendered onto semantically related objects, even when the user prompt does not explicitly mention it. This form of hidden payload injection makes the attack stealthy. We study two realistic attack scenarios. The first is a phishing-based setting, in which an attacker controls an online image generation service and injects hidden content into generated images before they are returned to users. The second is a poison-based setting, where an attacker distributes a compromised text-to-image diffusion model whose output contains hidden content. We evaluate both attacks using six injected payloads, including well-known logos and customized designs, and demonstrate that the two attacks can achieve success rates of 44.4% and 32.2% on average, respectively, while ensuring the injected logos are visually imperceptible. We also develop a mitigation solution that achieves an average success rate of 87.4% and 92.3% against the phishing-based and poison-based attacks, respectively.
format Preprint
id arxiv_https___arxiv_org_abs_2605_10600
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Generate "Normal", Edit Poisoned: Branding Injection via Hint Embedding in Image Editing
Sun, Desen
Hon, Jason
Wang, Howe
Rajan, Saarth
Xu, Meng
Liu, Sihang
Cryptography and Security
With the rapid advancement of generative AI, users increasingly rely on image-generation models for image design and creation. To achieve faithful outputs, users typically engage in multi-turn interactions during image refinement: a text-to-image generation phase followed by a text-guided image-to-image editing phase. In this paper, we investigate a novel security vulnerability associated with such a workflow. Our key insight is that a nearly invisible hint, like branding information (e.g., a logo), embedded in an input image can be recognized by downstream generative models and subsequently re-rendered onto semantically related objects, even when the user prompt does not explicitly mention it. This form of hidden payload injection makes the attack stealthy. We study two realistic attack scenarios. The first is a phishing-based setting, in which an attacker controls an online image generation service and injects hidden content into generated images before they are returned to users. The second is a poison-based setting, where an attacker distributes a compromised text-to-image diffusion model whose output contains hidden content. We evaluate both attacks using six injected payloads, including well-known logos and customized designs, and demonstrate that the two attacks can achieve success rates of 44.4% and 32.2% on average, respectively, while ensuring the injected logos are visually imperceptible. We also develop a mitigation solution that achieves an average success rate of 87.4% and 92.3% against the phishing-based and poison-based attacks, respectively.
title Generate "Normal", Edit Poisoned: Branding Injection via Hint Embedding in Image Editing
topic Cryptography and Security
url https://arxiv.org/abs/2605.10600