This work addresses the risk that open-weight multimodal large language models (MLLMs) may be misused to infer sensitive personal information—such as identity or location—from user-uploaded images. To mitigate this threat, the authors propose ImageProtector, a client-side image protection method that repurposes visual prompt injection attacks into an active defense mechanism. By embedding imperceptible adversarial perturbations into images, ImageProtector steers MLLMs to consistently return refusal responses during analysis. Evaluated across six prominent MLLMs and four datasets, the approach effectively blocks model inference while preserving image usability. Experiments further demonstrate that existing countermeasures—including Gaussian noise, DiffPure, and adversarial training—only partially degrade ImageProtector’s efficacy but incur substantial losses in model accuracy or computational efficiency.

Multi-modal large language models (MLLMs) have emerged as powerful tools for analyzing Internet-scale image data, offering significant benefits but also raising critical safety and societal concerns. In particular, open-weight MLLMs may be misused to extract sensitive information from personal images at scale, such as identities, locations, or other private details. In this work, we propose ImageProtector, a user-side method that proactively protects images before sharing by embedding a carefully crafted, nearly imperceptible perturbation that acts as a visual prompt injection attack on MLLMs. As a result, when an adversary analyzes a protected image with an MLLM, the MLLM is consistently induced to generate a refusal response such as"I'm sorry, I can't help with that request."We empirically demonstrate the effectiveness of ImageProtector across six MLLMs and four datasets. Additionally, we evaluate three potential countermeasures, Gaussian noise, DiffPure, and adversarial training, and show that while they partially mitigate the impact of ImageProtector, they simultaneously degrade model accuracy and/or efficiency. Our study focuses on the practically important setting of open-weight MLLMs and large-scale automated image analysis, and highlights both the promise and the limitations of perturbation-based privacy protection.