BioShocking Attack Shows How AI Browsers Can Be Tricked Into Leaking Credentials

A newly disclosed attack technique called BioShocking shows how AI-powered browsers can be manipulated into leaking credentials and other sensitive data from a user’s signed-in web sessions.

Security researchers at LayerX said the attack works by making an AI browser believe it is operating inside a fictional game environment. Once the browser agent accepts that false context, it may ignore normal safety limits and follow harmful instructions.

The LayerX research tested the technique against six tools: ChatGPT Atlas, Perplexity Comet, Fellou, Genspark Browser, Sigma Browser, and the Claude Chrome plugin.

What is the BioShocking attack?

BioShocking is a prompt injection attack aimed at agentic AI browsers. These tools can read web pages, click buttons, navigate sites, and interact with content on behalf of the user.

That capability makes them useful for research, shopping, form filling, and work automation. It also creates risk when the agent can access the same authenticated browser sessions as the user.

The attack name comes from the BioShock video game, where characters can be manipulated through a false perception of reality. In this case, the attacker reshapes the AI browser’s context so the agent treats dangerous actions as part of a harmless game.

Attack stage	What happens	Security risk
Malicious page	The user opens a page containing a game or puzzle	The browser agent reads attacker-controlled instructions
False context	The game rewards incorrect or unrealistic answers	The agent starts accepting the page’s altered rules
Redirect	The agent is told to visit another path or resource	The request can point to signed-in accounts or internal tools
Data leak	The agent copies sensitive information and shares it	Credentials or private code can leave the user’s session

How the attack tricks an AI browser

LayerX demonstrated the attack with a puzzle that begins with a simple math question. The AI browser first answers normally, but the game rewards an incorrect answer, such as treating 2 + 2 as 5.

After the agent adapts to the game’s false logic, the page gives it another instruction. The agent is told to navigate to a path and copy text from a box.

According to The Hacker News, the dangerous part is that the path can redirect the agent to an authenticated resource, such as a work GitHub repository, where it can retrieve credentials during the same browser session.

The demo used a controlled environment

LayerX said its test used a plaintext file in a controlled environment. That detail matters because the disclosure does not describe an active attack campaign stealing credentials from real users.

However, the risk remains serious. In a real attack, the same pattern could target open tabs, private repositories, internal dashboards, email accounts, or password managers that the browser session can reach.

The issue fits a broader category that OWASP tracks as prompt injection. OWASP describes prompt injection as a way to manipulate model behavior through input that can bypass safety measures.

• The attack does not need to break the target website directly.
• It abuses the AI agent’s interpretation of page content.
• It can become more dangerous when the agent has access to signed-in sessions.
• It shows why browser agents need stricter permission boundaries.

Which AI browsers were tested?

The LayerX report says the proof of concept worked against five agentic browsers and one agentic plugin. The company said all vendors were notified.

LayerX listed OpenAI’s ChatGPT Atlas as fixed. It listed Perplexity Comet as closed or ignored, while Fellou, Genspark Browser, and Sigma Browser were marked as having no response.

The same vendor disclosure table listed the Claude Chrome plugin as “patch failed.” Those statuses reflect LayerX’s account of the coordinated disclosure process and should be read as vendor-response claims from the researchers.

Vendor	Tool	LayerX listed status
OpenAI	ChatGPT Atlas	Fixed
Perplexity AI	Comet	Closed or ignored
Fellou / ASI X INC	Fellou	No response
Genspark	Genspark Browser	No response
Sigmabrowser OÜ	Sigma Browser	No response
Anthropic	Claude Chrome plugin	Patch failed

Why agentic browsers increase the risk

Traditional browsers mainly display web content and run site code inside browser security boundaries. AI browsers add a new layer because the agent can interpret instructions, make decisions, and take actions across pages.

This changes the threat model. A malicious webpage does not only try to fool the user. It can try to fool the user’s AI assistant into clicking, copying, submitting, or navigating somewhere sensitive.

The UK National Cyber Security Centre has warned that LLMs do not enforce a clean security boundary between instructions and data inside a prompt. Its guidance on prompt injection explains why these attacks differ from older web security bugs.

Why guardrails failed in the demo

AI systems use safety rules to reject harmful requests, including requests to steal credentials or access private data. BioShocking attacks those rules by changing the context around the request.

Instead of directly asking the agent to steal information, the malicious page builds a game-like environment where the agent learns that normal answers are wrong and unusual actions are rewarded.

That matches the core risk in the OWASP LLM01 guidance: malicious input can alter model behavior and cause the system to ignore intended restrictions.

What attackers could target

BioShocking matters because AI browsers often operate while the user remains signed in to work and personal accounts. If an agent can see a page, it may also be able to read or copy information from it.

LayerX said a real attack could point the browser agent toward open tabs, authenticated repositories, internal tools, or other resources available in the user’s session. That makes the attack especially relevant for developers, security teams, and employees using AI browsers for work.

Follow-up security coverage also emphasized that the attack turns agent mode into a data-exfiltration path when the assistant can reach signed-in accounts.

• Private GitHub repositories
• Internal dashboards
• Email inboxes
• Cloud storage portals
• Password managers
• CRM and customer support systems
• Developer tools and admin consoles

How vendors can reduce the risk

LayerX recommends explicit confirmation before an AI browser reads sensitive data from authenticated services. For example, the agent should stop and ask before copying from a private repository.

Vendors also need better context checks. If a page tells an agent that normal safety rules no longer apply, the browser should treat that as a suspicious instruction rather than a valid task rule.

The NCSC warning supports a defense-in-depth approach because prompt injection cannot be handled like a simple input-validation bug. AI agents need access limits, monitoring, user prompts, and safer defaults.

Defense	How it helps
User confirmation	Stops the agent before it reads or copies sensitive data
Permission scopes	Limits which sites, tabs, and accounts the agent can access
Context validation	Flags pages that tell the agent to ignore real-world rules
Session isolation	Separates agent browsing from sensitive logged-in accounts
Enterprise monitoring	Helps security teams detect unusual automated access

What users and companies should do now

Users should avoid running AI browser agents in sessions that also contain sensitive accounts. Logging out of work tools, password managers, and admin dashboards before using agent mode can reduce exposure.

Companies should treat AI browsers like software with privileged access. If employees use them for work, security teams should define which tools are allowed, which sites they can access, and which data they must never read or copy.

The safest approach is to give browser agents the narrowest access needed for the task. An AI assistant that plays a web puzzle does not need permission to open a private repository, read email, or interact with internal systems.

• Use separate browser profiles for AI browsing and sensitive work accounts.
• Disable agent mode when it is not needed.
• Do not ask AI browsers to interact with unknown or untrusted pages.
• Log out of password managers and internal tools before using agentic browsing.
• Review browser-agent activity in enterprise environments.
• Train employees to treat AI agents as active participants, not passive search tools.

The bigger security lesson

BioShocking shows that AI browser security cannot rely only on model guardrails. Once an AI agent can browse, click, copy, and use signed-in sessions, attackers can target the agent’s judgment instead of the website itself.

The attack also shows why AI browsers need visible permission prompts. Users should know when an agent is about to access a private account, copy sensitive text, or move from a public page to an authenticated system.

For now, the practical advice is clear. AI browsers can save time, but they should not receive unlimited access to every account in a user’s browser session. Treat agent mode as a powerful automation tool and give it the same caution you would give any tool that can act on your behalf.

FAQ