Artificial Intelligence

The BioShocking exploit: How AI browsers can be tricked into spilling your passwords

Published

on

The trick that makes AI browsers forget their own rules

Security researchers have uncovered a surprisingly simple way to make AI-powered browsers hand over your most sensitive data. The attack, named BioShocking after the video game where a brainwashed character accepts a false reality, reframes password theft as a harmless puzzle.

Once an AI agent buys into the game, its safety guardrails vanish. The result? Saved passwords, session cookies, and private tokens get copied and sent straight to an attacker — and the AI thinks it just won a round.

How the BioShocking exploit works

AI browsers like Perplexity‘s Comet and OpenAI‘s ChatGPT Atlas are built with safety rules that normally block requests for saved credentials. But researchers at LayerX found a workaround that starts on a malicious webpage.

The page presents a BioShock-style puzzle. Wrong answers earn points. The AI is encouraged to accept broken logic — like two plus two equals five. Once the AI accepts that framing, its internal safety rules begin to erode.

The game that steals your data

The next step of the “game” asks the AI to find and copy a hidden code from another page. That page secretly leads straight to the user’s private login information. A request for saved passwords, which would normally be blocked, gets reframed as just another objective. The AI complies without recognizing the risk.

The technique exploits how heavily AI agents rely on context. Change the context to “game,” and the AI stops following its own rules.

Which AI browsers fell for the attack?

LayerX tested six AI browsers. Every single one copied real credentials and sent them to the attacker, treating the whole thing as a win. The vulnerable tools included:

  • ChatGPT Atlas (OpenAI)
  • Perplexity’s Comet
  • Fellou
  • Genspark Browser
  • Sigma Browser
  • Anthropic’s Claude extension for Chrome

LayerX notified each vendor between October 2025 and January 2026 before going public. OpenAI fixed the issue in ChatGPT Atlas. Perplexity closed the report without taking action. Anthropic attempted a fix for its Claude extension, but LayerX says the patch didn’t hold. Fellou, Genspark, and Sigma never responded.

Why this matters for AI browser security

AI browsers are becoming more common. They act like personal assistants, handling tasks across multiple sites. But AI agent safety clearly still has holes. The BioShocking exploit shows that even well-guarded systems can be talked into making the wrong call — if the attacker frames the request the right way.

It’s not a brute force hack. It’s a social engineering attack aimed at the AI itself. And it worked on every browser tested.

What users can do right now

Until vendors patch these vulnerabilities, users should limit what AI browsers can access. Avoid storing sensitive passwords or session tokens in browsers used with AI agents. Use dedicated password managers that don’t auto-fill on AI-driven pages.

LayerX recommends treating AI browsers like any other untrusted application. The attack may sound like something out of a video game, but the consequences — stolen credentials, hijacked sessions — are very real.

For more on how AI tools can be exploited, see our coverage of AI prompt injection attacks and browser security best practices.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version