Peek-A-Boo! 🫣 Emoji Smuggling and Modern LLMs – FireTail Blog

Researchers have discovered a technique where malicious text can be smuggled inside an emoji using undeclared Unicode characters, which can bypass human reviews and security filters. This technique exploits the complex nature of Unicode, where an emoji is a sequence of bytes that can be manipulated to hide invisible characters. The method relies on "Variation Selectors" and shift ciphers to transform standard Unicode characters into invisible ones, creating a payload that looks normal on a screen but contains hidden code. This technique is effective because it exploits a gap in how Large Language Models process text versus how they are trained to understand it. The model can recognize the presence of unusual Unicode characters but cannot decipher the message on its own, unless provided with a prompt to look at the raw bytes. By providing the model with the "key" to understanding the hidden text, the model can execute the hidden commands, demonstrating the severity of this vulnerability. The most significant implication of this research is that the malicious instruction remains completely invisible to the human eye, slipping past manual oversight while remaining fully legible to the machine. To defend against Emoji Smuggling, it is necessary to inspect the raw byte sequence of every input, not just the rendered visual text that appears in standard logs. FireTail's platform can analyze the raw payload data to identify hidden payloads and generate alerts, allowing security teams to block the prompt or flag the resulting LLM output for manual review. The key to catching Emoji Smuggling is monitoring the raw data layer, as human reviewers cannot spot threats that are technically invisible to the eye, and this is how FireTail is hardening the AI perimeter for its customers.