Reading Between the Pixels: An Inscriptive Jailbreak Attack on Text-to-Image Models

TL;DR

This paper introduces Etch, a black-box attack framework exposing vulnerabilities in text-to-image models by embedding harmful text within images, revealing a critical safety blind spot.

Contribution

The paper formalizes inscriptive jailbreaks, proposes the Etch attack method, and demonstrates its effectiveness across multiple models and benchmarks, highlighting safety concerns.

Findings

Etch achieves up to 91% attack success rate.

Existing safety filters struggle against inscriptive attacks.

The study exposes a critical blind spot in T2I safety mechanisms.

Abstract

Modern text-to-image (T2I) models can now render legible, paragraph-length text, enabling a fundamentally new class of misuse. We identify and formalize the inscriptive jailbreak, where an adversary coerces a T2I system into generating images containing harmful textual payloads (e.g., fraudulent documents) embedded within visually benign scenes. Unlike traditional depictive jailbreaks that elicit visually objectionable imagery, inscriptive attacks weaponize the text-rendering capability itself. Because existing jailbreak techniques are designed for coarse visual manipulation, they struggle to bypass multi-stage safety filters while maintaining character-level fidelity. To expose this vulnerability, we propose Etch, a black-box attack framework that decomposes the adversarial prompt into three functionally orthogonal layers: semantic camouflage, visual-spatial anchoring, and typographic encoding. This decomposition reduces joint optimization over the full prompt space to tractable sub-problems, which are iteratively refined through a zero-order loop. In this process, a vision-language model critiques each generated image, localizes failures to specific layers, and prescribes targeted revisions. Extensive evaluations across 7 models on the 2 benchmarks demonstrate that Etch achieves an average attack success rate of 65.57% (peaking at 91.00%), significantly outperforming existing baselines. Our results reveal a critical blind spot in current T2I safety alignments and underscore the urgent need for typography-aware defense multimodal mechanisms.