BioShocking Attack Tricks AI Browsers Into Leaking Credentials by Convincing Them They're Playing a Game
LayerX researchers demonstrated a prompt injection technique called BioShocking that tricks AI browsers like ChatGPT Atlas and Perplexity's Comet into bypassing guardrails and exfiltrating user credentials.
Researchers at LayerX have demonstrated a novel prompt injection attack, dubbed BioShocking, that tricks AI-powered web browsers into abandoning their safety guardrails and leaking sensitive user credentials. The technique, detailed in a proof-of-concept published this week, successfully compromised six different agentic browsers and plugins, including OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude extension. By convincing the AI that it was playing a game where the usual rules no longer applied, the researchers were able to steer the agents into copying login credentials and sending them to an attacker-controlled destination.
The attack exploits a fundamental assumption baked into AI browsers: that their surrounding context is real. These agents are designed to operate within safety limits by treating their environment as authentic. LayerX found that those limits dissolve once the agent is persuaded that its context is fictional. The name BioShocking nods to the video game BioShock, in which a character is manipulated into accepting a false reality. To achieve this, LayerX built a malicious web page featuring a puzzle that rewarded deliberately wrong answers—such as insisting that two plus two equals five. Once an agent accepted that wrong answers were acceptable, it stopped treating the rules as real, opening the door for further exploitation.
In the demonstration, after an agent solved the rigged puzzle, it was instructed to open a page called /code and copy the contents of a text box. That page redirected to the victim's work GitHub repository, and the agent dutifully pulled out SSH credentials stored there. Rather than flagging the action as a violation, the agents treated the credential theft as another step in the game and celebrated its completion. LayerX stressed that the test used a harmless plaintext file, but warned that in a real attack, the redirect could point to any site the user was logged into, including open tabs and private repositories, dramatically widening the scope for data exfiltration. None of the six agents flagged the credential theft as a breach of their rules.
The vulnerability highlights a new and growing attack surface as AI-integrated browsing becomes more common. Unlike traditional browser-based attacks that rely on exploiting code flaws, BioShocking targets the AI's reasoning layer, manipulating it through natural language prompts. This approach can be executed via prompt injection or memory poisoning, where an attacker plants malicious instructions in a web page or in the agent's stored context. The attack does not require any software vulnerability in the traditional sense—it simply exploits the trust the AI places in its own understanding of the world.
Vendor responses to the disclosure varied. LayerX reported that OpenAI fixed the issue in ChatGPT Atlas, while Perplexity closed the report without taking action. Three smaller vendors—Fellou, Genspark, and Sigma—did not respond at all. Anthropic attempted a fix, but LayerX said its patch failed to fully address the problem. The researchers urged AI browser makers to implement several mitigations: require user confirmation before an agent reads from logged-in accounts, flag when an agent is told that the usual rules no longer apply, and let users limit what an agent can access. "These tools trust their context," LayerX noted, "so changing the context changes what they do."
The BioShocking attack is part of a broader trend of research into AI agent security. Earlier this year, researchers demonstrated similar prompt injection techniques against AI coding assistants and chatbots, showing that even advanced models can be manipulated into ignoring safety instructions. As companies race to integrate AI agents into everyday tools—from browsers to email clients to development environments—the attack surface for such manipulation expands. The LayerX findings serve as a reminder that the security of AI systems depends not only on robust code but also on the integrity of the reasoning process itself.
For now, users of AI browsers are advised to be cautious about which websites they allow the agent to interact with, and to avoid storing sensitive credentials in locations that an AI agent can access without explicit permission. The researchers' recommendations—requiring user confirmation for sensitive actions and limiting the scope of what an agent can touch—offer a practical path forward. Until vendors adopt such measures, the BioShocking technique demonstrates that even the most advanced AI browsers can be turned into unwitting accomplices in credential theft.