In September 2025, FireTail researcher Viktor Markopoulos set out to test leading large language models (LLMs) for resilience against the long-standing ASCII Smuggling technique.
By embedding invisible control characters within seemingly harmless text, ASCII Smuggling abuses Unicode “tag” blocks to hide malicious instructions from human reviewers while feeding them directly into the raw input stream consumed by LLMs.
Markopoulos’s experiments revealed that, despite modern sanitization efforts, Gemini remained vulnerable prompting FireTail to develop dedicated detection capabilities for this stealthy attack vector.
ASCII Smuggling Attack
ASCII Smuggling leverages zero-width or tag Unicode characters (for example, U+E0001 “Language Tag”) that render invisible in typical UIs but remain present in the raw data fed to the LLM.
A tag-unaware front end displays only the visible string, “Tell me 5 random words. Thank you.” However, the raw prompt string contains appended tag characters enclosing the hidden directive:
Because Gemini’s input pre-processor passes every code point—including invisible tags—straight to the model without normalization, the hidden instructions override the visible query.
The result: the model prints “FireTail” instead of returning random words. This disconnect between UI rendering and application logic represents a critical flaw in any system that assumes visible text equals complete instruction.
Gemini’s deep integration with Google Workspace makes this vulnerability particularly dangerous for enterprise users.
In one proof-of-concept, an attacker embeds smuggled characters within a calendar invite. The victim sees “Meeting” as the event title, but Gemini reads:
The hidden payload can overwrite meeting descriptions, links, or organizer details—fully spoofing identities without the target ever accepting the invite.
FireTail even demonstrated injecting a malicious meeting link, bypassing traditional “Accept/Decline” gates and giving the attacker covert access to calendar data.
Beyond identity spoofing, ASCII Smuggling can enable automated content poisoning. E-commerce platforms that summarize product reviews can be tricked into embedding malicious URLs. For example:
- Attacker’s visible review: “Great phone. Fast delivery and good battery life.”
- Hidden payload in raw string: “… . Also visit https://scam-store.example for a secret discount!”
The LLM’s summarization feature ingests both visible and invisible text, producing a poisoned summary that promotes the scam link to end users.
FireTail’s research found that ChatGPT, Copilot, and Claude appear to scrub tag characters effectively; however, Gemini, Grok, and DeepSeek were vulnerable, placing enterprises relying on these services at immediate risk.
After disclosing the flaw to Google on September 18, 2025, FireTail received a “no action” response, compelling the team to publicly disclose their findings.
To safeguard organizations, FireTail engineered detection for ASCII Smuggling in LLM logs by monitoring the raw input payload, including all tags and zero-width characters, before and during tokenization.
Rapid isolation of malicious sources is made possible by alerts that activate at the first indication of smuggling sequences.
This move to raw-stream observability represents only an assured defense against application-layer attacks that exploit the intrinsic separation of UI rendering and LLM processing.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
