Ask HN: Possible or Fantasy?

2•ge96•1d ago

Imagine if you sent an image with encoded info (steganography) and an LLM or CV model happened to get the command from that image, then this model happened to be connected to MCP/agents and could execute these embedded commands.

Realistic attack vector or not? It's not an original idea seen in shows like Ghost in the Shell SAC 2045 and latest Black Mirror Thronglets

Comments

moritzwarhier•1d ago

The imaginary QR code from the episode, and real steganography, are completely orthogonal.

And the BM episode doesn't include any references to LLMs, or does it?

ge96•1d ago

Yeah by LLM (and I didn't specify above) I meant if you had a generic summary command/parsing images or OCR... it's probably not possible to extract code, maybe you can with words embedded in an image that is a sentence eg. "run this script"

edit: generic command as in "what does this image show" and the underlying mechanism is vulnerable to reading hidden data

moritzwarhier•1d ago

Yeah that's prompt injection but why the steganography? In a broader sense, sure. Who would let an unsupervised LLM or other AI operate on important resources, is the question, I think.

ge96•1d ago

steganography is just that it's image based

saw this thread about space selfie made me think of it

muzani•1d ago

They're able to "decode" base64 if you give it a popular quote, but if you modify the quote, it will often hallucinate the exact quote. If you enlarge images with it, it will often hallucinate bits and pieces of it.

So I'd do something that takes advantage of this behavior. It's like with morse code where many people know S.O.S. even if they don't know the other letters. You'd have to communicate in quotes and such.

ge96•22h ago

damn that's a good point about the built in random part ha (I know set temp to 0 but yeah)

muzani•13h ago

0 temp is still not completely deterministic :)

Pension Fund investors demand Musk put in a 40 HR week at Tesla

Penguin poop may help preserve Antarctic climate

A Disillusioned Musk, Distanced From Trump, Says He’s Exiting Washington

Sorry, I Still Think Mr Is Wrong About Usaid

The problem isn't phones. It's apps

I Lived Through Collapse. America Is Already There

The Design Change That Took 114 Lives [video]

Unsong Book

Introducing: Webbed Sites [video]

Randomness Requirements for Security

Show HN: We built an AI scheduling assistant with zero code written by a human

Show HN: Remote Dev Jobs Aggregator Sorted by Parental Leave/PTO

We Tested Google Veo and Runway to Create This AI Film. It Was Wild [video]

US Trade Court blocks Trump tariffs

Functional Programming and Theorem Proving in Lean 4

Show HN: PostcardLove – Send Real Postcards from Your Phone

Show HN: Handover.ai – Knowledge transfer made easy

Sky, Natural Computing for the Macintosh

Chinese paraglider cheats death after flying to 28,000ft

Trapped Priors as a Basic Problem of Rationality

Lia Radiological Accident

Show HN: I "vibed" a interactive classes tht teaches seniors 2 detect AI content

I automated my dev workflow with GitHub, Dagger, and AI Agents (video)

Show HN: Tapflow – Built for devs/designers with way too many docs

Weaponized AI chatbot floods Canadian city councils with climate misinformation

US trade court rules Trump overstepped his authority with global tariffs

Remembering the ISP That David Bowie Ran for Eight Years

The Web is the Next Platform (1995)

Nvidia beats on earnings and revenue as data center sales jump 73%

Court says Trump doesn't have the authority to set tariffs