MetaBackdoor: Exploiting Positional Encoding as a Backdoor Attack Surface in LLMs

TL;DR

MetaBackdoor reveals that positional encoding in Transformer-based LLMs can be exploited as a stealthy backdoor trigger, enabling attacks without altering input text and posing new security challenges.

Contribution

Introduces MetaBackdoor, a novel backdoor attack exploiting positional information as a trigger, expanding the threat model of LLM security beyond content-based methods.

Findings

Length-based positional triggers can activate backdoors stealthily.

Backdoored LLMs can leak sensitive internal information.

Positional triggers can be combined with content-based backdoors for enhanced stealth.

Abstract

Backdoor attacks pose a serious security threat to large language models (LLMs), which are increasingly deployed as general-purpose assistants in safety- and privacy-critical applications. Existing LLM backdoors rely primarily on content-based triggers, requiring explicit modification of the input text. In this work, we show that this assumption is unnecessary and limiting. We introduce MetaBackdoor, a new class of backdoor attacks that exploits positional information as the trigger, without modifying textual content. Our key insight is that Transformer-based LLMs necessarily encode token positions to process ordered sequences. As a result, length-correlated positional structure is reflected in the model's internal computation and can be used as an effective non-content trigger signal. We demonstrate that even a simple length-based positional trigger is sufficient to activate stealthy backdoors. Unlike prior attacks, MetaBackdoor operates on visibly and semantically clean inputs and enables qualitatively new capabilities. We show that a backdoored LLM can be induced to disclose sensitive internal information, including proprietary system prompts, once a length condition is satisfied. We further demonstrate a self-activation scenario, where normal multi-turn interaction can move the conversation context into the trigger region and induce malicious tool-call behavior without attacker-supplied trigger text. In addition, MetaBackdoor is orthogonal to content-based backdoors and can be composed with them to create more precise and harder-to-detect activation conditions. Our results expand the threat model of LLM backdoors by revealing positional encoding as a previously overlooked attack surface. This challenges defenses that focus on detecting suspicious text and highlights the need for new defense strategies that explicitly account for positional triggers in modern LLM architectures.