Generate "Normal", Edit Poisoned: Branding Injection via Hint Embedding in Image Editing

TL;DR

This paper uncovers a security vulnerability where hidden branding information embedded in images can be re-rendered by generative models, posing risks in image editing workflows.

Contribution

It introduces a novel stealthy attack method using invisible hints for branding injection and proposes an effective mitigation strategy.

Findings

Injected logos achieved success rates of 44.4% and 32.2%.

Mitigation solutions increased success rates to 87.4% and 92.3%.

Hidden payloads remain visually imperceptible to users.

Abstract

With the rapid advancement of generative AI, users increasingly rely on image-generation models for image design and creation. To achieve faithful outputs, users typically engage in multi-turn interactions during image refinement: a text-to-image generation phase followed by a text-guided image-to-image editing phase. In this paper, we investigate a novel security vulnerability associated with such a workflow. Our key insight is that a nearly invisible hint, like branding information (e.g., a logo), embedded in an input image can be recognized by downstream generative models and subsequently re-rendered onto semantically related objects, even when the user prompt does not explicitly mention it. This form of hidden payload injection makes the attack stealthy. We study two realistic attack scenarios. The first is a phishing-based setting, in which an attacker controls an online image generation service and injects hidden content into generated images before they are returned to users. The second is a poison-based setting, where an attacker distributes a compromised text-to-image diffusion model whose output contains hidden content. We evaluate both attacks using six injected payloads, including well-known logos and customized designs, and demonstrate that the two attacks can achieve success rates of 44.4% and 32.2% on average, respectively, while ensuring the injected logos are visually imperceptible. We also develop a mitigation solution that achieves an average success rate of 87.4% and 92.3% against the phishing-based and poison-based attacks, respectively.