In September 2025, cybersecurity researcher Viktor Markopoulos from FireTail embarked on an evaluation of leading large language models (LLMs) to assess their resilience against the longstanding ASCII Smuggling technique. This method involves embedding invisible control characters within seemingly benign text, exploiting Unicode “tag” blocks to conceal malicious instructions from human reviewers while delivering them directly into the raw input stream processed by LLMs.
Markopoulos’s experiments revealed that, despite modern sanitization efforts, Google’s Gemini remained susceptible to this attack vector. This discovery prompted FireTail to develop specialized detection capabilities to counteract this stealthy form of exploitation.
Understanding ASCII Smuggling
ASCII Smuggling leverages zero-width or tag Unicode characters, such as U+E0001 “Language Tag,” which are invisible in standard user interfaces but persist in the raw data fed to LLMs. For instance, a user might input the visible string, “Tell me 5 random words. Thank you.” However, the raw prompt could contain appended tag characters enclosing a hidden directive.
Since Gemini’s input pre-processor transmits every code point—including these invisible tags—directly to the model without normalization, the hidden instructions can override the visible query. Consequently, the model might output “FireTail” instead of providing random words. This discrepancy between UI rendering and application logic highlights a critical flaw in systems that equate visible text with complete instruction.
Implications for Google Workspace Integration
Gemini’s deep integration with Google Workspace amplifies the potential risks for enterprise users. In a proof-of-concept scenario, an attacker could embed smuggled characters within a calendar invite. While the victim sees “Meeting” as the event title, Gemini interprets hidden payloads that can overwrite meeting descriptions, links, or organizer details—effectively spoofing identities without the target ever accepting the invite.
FireTail demonstrated the injection of a malicious meeting link, circumventing traditional “Accept/Decline” mechanisms and granting the attacker covert access to calendar data.
Broader Applications of ASCII Smuggling
Beyond identity spoofing, ASCII Smuggling can facilitate automated content poisoning. E-commerce platforms that summarize product reviews can be manipulated to embed malicious URLs. For example:
– Attacker’s visible review: “Great phone. Fast delivery and good battery life.”
– Hidden payload in raw string: “…
The LLM’s summarization feature processes both visible and invisible text, resulting in a poisoned summary that promotes the scam link to end users.
Comparative Vulnerability Assessment
FireTail’s research indicated that while ChatGPT, Copilot, and Claude effectively scrub tag characters, Gemini, Grok, and DeepSeek were vulnerable. This places enterprises relying on these services at immediate risk.
After disclosing the flaw to Google on September 18, 2025, FireTail received a “no action” response, leading the team to publicly disclose their findings.
Mitigation Strategies
To protect organizations, FireTail developed detection mechanisms for ASCII Smuggling in LLM logs by monitoring the raw input payload, including all tags and zero-width characters, before and during tokenization. Alerts are triggered at the first indication of smuggling sequences, enabling rapid isolation of malicious sources.
This approach to raw-stream observability offers a robust defense against application-layer attacks that exploit the inherent separation between UI rendering and LLM processing.
