All they had to do to baffle the AI was write down the name of an object and sticking it on another can to trick the software into misidentifying what it sees.

Writing in their Boffin Blog OpenAI's researchers said: "We refer to these attacks as typographic attacks. By exploiting the model's ability to read text robustly, we find that even photographs of hand-written text can often fool the model."

They note that such attacks are like "adversarial images" that can fool commercial machine vision systems, but far simpler to produce.

The OpenAI software in question is an experimental system named CLIP that isn't deployed in any commercial product. But the nature of CLIP's unusual machine learning architecture created the weakness that enables this attack to succeed. CLIP is intended to explore how AI systems might learn to identify objects without close supervision by training on huge databases of image and text pairs. In this case, OpenAI used some 400 million image-text pairs scraped from the internet to train CLIP, which was unveiled in January.