Back to Blog
LegalTech & IA

The PNG that steals your passwords: when AI is too trusting

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
10 luglio 2026
10 min read
The PNG that steals your passwords: when AI is too trusting

An image is worth more than a thousand passwords

Imagine receiving a harmless PNG image, perhaps a company logo. You open it, and in an instant your AI assistant hands over all your passwords to the attacker. This is not science fiction: it really happened, as reported by Habr. A prompt injection attack exploited a PNG file to manipulate an AI agent, demonstrating that the security of intelligent systems is still fragile.

How the hacked PNG attack works

The AI agent, designed to assist users, interpreted the hidden content in the PNG as a legitimate command. Instead of just displaying the image, it executed malicious instructions, extracting and transmitting sensitive data such as passwords. It's like a butler seeing a photo of a thief and opening the front door for them.

The vulnerability lies in the AI's ability to process multimodal inputs (text, images, audio) without adequate filters. A PNG can contain metadata or hidden text that the agent interprets as commands, bypassing security controls.

GDPR and adequate technical measures: what the law says

The General Data Protection Regulation (GDPR) in Article 32 requires appropriate technical and organizational measures to ensure data security. A prompt injection attack via PNG demonstrates that these measures are insufficient if the AI is not designed to resist input manipulation.

Companies using AI agents must implement input validation, sandboxing, and granular access controls. Otherwise, they risk fines of up to 20 million euros or 4% of annual global turnover, as provided for in Article 83 of the GDPR.

Lessons for developers and users

For developers: do not blindly trust input. Any data, even an image, can be an attack vector. Use techniques such as input sanitization and limit AI permissions to what is strictly necessary.

For users: be wary of suspicious files, even if they come from seemingly trusted sources. A PNG can hide a malicious command. And if your AI assistant starts behaving strangely, it may already be compromised.

For more on AI security guidelines, consult the official GDPR text.

The future of AI security: humor and reality

If you thought reading Terms and Conditions was as tedious as cleaning tile grout with a toothbrush, wait until you have to check every PNG you open. But that's exactly the point: security is not an option, it's a necessity. And if an image can hack your AI, maybe it's time to rethink your digital habits.

Don't wait until the damage is done. Check your device privacy settings, update your software, and for the love of GDPR, don't click on suspicious PNGs.

✅ Checklist sicurezza AI anti-PNG
Spunta ogni voce per verificare la conformità GDPR
NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.