Low Resource Reconstruction Attacks Through Benign Prompts

TL;DR

This paper introduces a low-resource, accessible attack method that identifies benign prompts capable of unintentionally reconstructing sensitive images from generative models, highlighting privacy risks even for non-expert users.

Contribution

The authors present a novel low-resource attack technique that uncovers risks of unintentional image reconstruction from benign prompts, exposing fundamental privacy vulnerabilities in generative models.

Findings

Benign prompts can generate sensitive images, including real individuals.

Reconstruction risks are linked to scraped e-commerce data and templated layouts.

The attack requires minimal resources and little access to training data.

Abstract

Recent advances in generative models, such as diffusion models, have raised concerns related to privacy, copyright infringement, and data stewardship. To better understand and control these risks, prior work has introduced techniques and attacks that reconstruct images, or parts of images, from training data. While these results demonstrate that training data can be recovered, existing methods often rely on high computational resources, partial access to the training set, or carefully engineered prompts. In this work, we present a new attack that requires low resources, assumes little to no access to the training data, and identifies seemingly benign prompts that can lead to potentially risky image reconstruction. We further show that such reconstructions may occur unintentionally, even for users without specialized knowledge. For example, we observe that for one existing model, the prompt ``blue Unisex T-Shirt'' generates the face of a real individual. Moreover, by combining the identified vulnerabilities with real-world prompt data, we discover prompts that reproduce memorized visual elements. Our approach builds on insights from prior work and leverages domain knowledge to expose a fundamental vulnerability arising from the use of scraped e-commerce data, where templated layouts and images are closely tied to pattern-like textual prompts. The code for our attack is publicly available at https://github.com/TheSolY/lr-tmi.