Researchers Unveil Prompt-Stealing Attack Targeting Text-to-Image Models

Global: Researchers Unveil Prompt-Stealing Attack Targeting Text-to-Image Models

A team of researchers has introduced a new technique, dubbed Prometheus, that can reverse‑engineer the textual prompts behind images generated by popular text‑to‑image (T2I) systems. The approach, described in a recent arXiv preprint, aims to extract valuable prompt information from platforms such as PromptBase and AIFrog by interacting with a locally hosted proxy model. By doing so, the authors highlight a previously underexplored vulnerability in the workflow of AI‑generated art.

Methodology Overview

According to the authors, Prometheus operates without additional training and relies on a three‑stage process. First, it supplements traditional static modifiers with dynamically generated ones. Second, a contextual matching algorithm ranks both sets of modifiers to narrow the subsequent search space. Finally, the system conducts a greedy search against a proxy model, using feedback to iteratively refine the reconstructed prompt.

Dynamic Modifiers and NLP Generation

The paper explains that dynamic modifiers are created on the fly through natural‑language‑processing analysis of the target image. This step adds detail specific to each showcase, moving beyond the fixed style descriptors employed in earlier attacks. The researchers argue that the added granularity improves the relevance of candidate prompts during the search.

Contextual Matching to Reduce Search Space

In the second stage, a contextual matching algorithm evaluates the compatibility of static and dynamic modifiers with the target image. By sorting and filtering these modifiers offline, the method reduces the combinatorial explosion that typically hampers exhaustive prompt reconstruction.

Greedy Search with Proxy Model Feedback

The final stage engages a local proxy diffusion model. The system proposes prompt candidates, receives feedback on image fidelity, and greedily selects the next best modification. This loop continues until the reconstructed prompt reaches a predefined similarity threshold.

Evaluation Against Popular Platforms

Experimental results reported by the authors show that Prometheus successfully extracted prompts from showcases on PromptBase and AIFrog when targeting victim models including Midjourney, Leonardo.ai, and DALL·E. The authors note an average ASR (Attack Success Rate) improvement of 25.0% compared with prior state‑of‑the‑art techniques.

Resistance to Defenses and Implications

Further testing indicated that the approach remained effective against a range of proposed defensive measures, suggesting a notable practical risk for creators who treat prompts as intellectual property. The researchers caution that the findings underscore the need for stronger safeguards around prompt confidentiality in the rapidly expanding T2I ecosystem.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.