Text is All You Need for Vision-Language Model Jailbreaking

TL;DR

This paper introduces Text-DJ, an attack exploiting LVLMs' OCR to bypass safety safeguards by presenting harmful queries as a grid of images, revealing a vulnerability in current safety measures.

Contribution

The work presents a novel jailbreak method that combines query decomposition and distraction to bypass safety filters in LVLMs using OCR-based adversarial inputs.

Findings

Successfully bypasses safety safeguards in state-of-the-art LVLMs

Reveals OCR vulnerabilities to multi-image adversarial inputs

Highlights need for improved defenses against fragmented multimodal attacks

Abstract

Large Vision-Language Models (LVLMs) are increasingly equipped with robust safety safeguards to prevent responses to harmful or disallowed prompts. However, these defenses often focus on analyzing explicit textual inputs or relevant visual scenes. In this work, we introduce Text-DJ, a novel jailbreak attack that bypasses these safeguards by exploiting the model's Optical Character Recognition (OCR) capability. Our methodology consists of three stages. First, we decompose a single harmful query into multiple and semantically related but more benign sub-queries. Second, we pick a set of distraction queries that are maximally irrelevant to the harmful query. Third, we present all decomposed sub-queries and distraction queries to the LVLM simultaneously as a grid of images, with the position of the sub-queries being middle within the grid. We demonstrate that this method successfully circumvents the safety alignment of state-of-the-art LVLMs. We argue this attack succeeds by (1) converting text-based prompts into images, bypassing standard text-based filters, and (2) inducing distractions, where the model's safety protocols fail to link the scattered sub-queries within a high number of irrelevant queries. Overall, our findings expose a critical vulnerability in LVLMs' OCR capabilities that are not robust to dispersed, multi-image adversarial inputs, highlighting the need for defenses for fragmented multimodal inputs.