ML Security PapersAgentTypo: Adaptive Typographic Prompt Injection Attacks against Black-box Multimodal Agents
Yanjie Li , Yiming Cao , Dong Wang , Bin Xiao
Published on arXiv
2510.04257
Input Manipulation Attack
OWASP ML Top 10 — ML01
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
AgentTypo raises image-only attack success rate from 23% to 45% on GPT-4o web agents and achieves 68% ASR in image+text settings, outperforming all baselines including AgentAttack.
AgentTypo / ATPI (Automatic Typographic Prompt Injection)
Novel technique introduced
Multimodal agents built on large vision-language models (LVLMs) are increasingly deployed in open-world settings but remain highly vulnerable to prompt injection, especially through visual inputs. We introduce AgentTypo, a black-box red-teaming framework that mounts adaptive typographic prompt injection by embedding optimized text into webpage images. Our automatic typographic prompt injection (ATPI) algorithm maximizes prompt reconstruction by substituting captioners while minimizing human detectability via a stealth loss, with a Tree-structured Parzen Estimator guiding black-box optimization over text placement, size, and color. To further enhance attack strength, we develop AgentTypo-pro, a multi-LLM system that iteratively refines injection prompts using evaluation feedback and retrieves successful past examples for continual learning. Effective prompts are abstracted into generalizable strategies and stored in a strategy repository, enabling progressive knowledge accumulation and reuse in future attacks. Experiments on the VWA-Adv benchmark across Classifieds, Shopping, and Reddit scenarios show that AgentTypo significantly outperforms the latest image-based attacks such as AgentAttack. On GPT-4o agents, our image-only attack raises the success rate from 0.23 to 0.45, with consistent results across GPT-4V, GPT-4o-mini, Gemini 1.5 Pro, and Claude 3 Opus. In image+text settings, AgentTypo achieves 0.68 ASR, also outperforming the latest baselines. Our findings reveal that AgentTypo poses a practical and potent threat to multimodal agents and highlight the urgent need for effective defense.
Key Contributions
- ATPI algorithm that jointly maximizes typographic prompt reconstruction (via substitute captioners) and minimizes human detectability via a stealth loss, with Tree-structured Parzen Estimator optimizing text placement, size, and color.
- AgentTypo-pro: a multi-LLM system that iteratively refines injection prompts using evaluation feedback, RAG over past successful examples, and a strategy repository for continual attack knowledge accumulation.
- Empirical demonstration raising attack success rate from 23% to 45% (image-only) and 68% (image+text) on GPT-4o-based web agents, outperforming state-of-the-art baselines across four commercial VLM backends.
🛡️ Threat Analysis
AgentTypo crafts adversarial visual inputs — webpage images with embedded, optimized text — using black-box TPE optimization and a stealth loss to manipulate VLM outputs. The images are specifically engineered to maximize instruction-following while minimizing human detectability, fitting the adversarial visual input manipulation criterion for dual ML01+LLM01 tagging.