Recent advances in multi-modal large reasoning models (MLRMs) have shown significant ability to interpret complex visual content. While these models enable impressive reasoning capabilities, they also introduce novel and underexplored privacy risks. In this paper, we identify a novel category of privacy leakage in MLRMs: Adversaries can infer sensitive geolocation information, such as a user's home address or neighborhood, from user-generated images, including selfies captured in private settings. To formalize and evaluate these risks, we propose a three-level visual privacy risk framework that categorizes image content based on contextual sensitivity and potential for location inference. We further introduce DoxBench, a curated dataset of 500 real-world images reflecting diverse privacy scenarios. Our evaluation across 11 advanced MLRMs and MLLMs demonstrates that these models consistently outperform non-expert humans in geolocation inference and can effectively leak location-related private information. This significantly lowers the barrier for adversaries to obtain users' sensitive geolocation information. We further analyze and identify two primary factors contributing to this vulnerability: (1) MLRMs exhibit strong reasoning capabilities by leveraging visual clues in combination with their internal world knowledge; and (2) MLRMs frequently rely on privacy-related visual clues for inference without any built-in mechanisms to suppress or avoid such usage. To better understand and demonstrate real-world attack feasibility, we propose GeoMiner, a collaborative attack framework that decomposes the prediction process into two stages: clue extraction and reasoning to improve geolocation performance while introducing a novel attack perspective. Our findings highlight the urgent need to reassess inference-time privacy risks in MLRMs to better protect users' sensitive information.

翻译：近年来，多模态大推理模型（MLRMs）在解析复杂视觉内容方面展现出显著能力。尽管这些模型实现了令人瞩目的推理功能，但也引入了新颖且尚未被充分探索的隐私风险。本文识别了MLRMs中一类新的隐私泄露：攻击者能够从用户生成的图像（包括在私人环境中拍摄的自拍照）中推断出敏感的地理位置信息，例如用户的家庭住址或社区。为形式化并评估这些风险，我们提出了一个三级视觉隐私风险框架，该框架根据上下文敏感性和位置推断潜力对图像内容进行分类。我们进一步引入了DoxBench，一个包含500张真实世界图像的精选数据集，反映了多样化的隐私场景。我们在11个先进的MLRMs和MLLMs上的评估表明，这些模型在地理位置推断方面持续优于非专家人类，并能有效泄露与位置相关的隐私信息。这显著降低了攻击者获取用户敏感地理位置信息的门槛。我们进一步分析并识别了导致此漏洞的两个主要因素：（1）MLRMs通过结合视觉线索与其内部世界知识展现出强大的推理能力；（2）MLRMs经常依赖与隐私相关的视觉线索进行推断，而没有任何内置机制来抑制或避免此类使用。为了更好地理解和展示现实世界攻击的可行性，我们提出了GeoMiner，一个协作式攻击框架，将预测过程分解为两个阶段：线索提取和推理，以提高地理位置推断性能，同时引入了一种新颖的攻击视角。我们的研究结果强调，迫切需要重新评估MLRMs在推理时的隐私风险，以更好地保护用户的敏感信息。