AI Browsers Manipulated into Handing Over Credentials via Gamified Attack

Researchers found a technique that tricks AI browsers into treating credential theft as a game objective, bypassing safety controls.

CSBadmin
2 Min Read

The BioShocking Technique

Security researchers at LayerX have developed a novel attack called BioShocking that exploits how AI browsers process information. The technique works by presenting a malicious web page as a puzzle or game, where the rules encourage the AI agent to provide incorrect answers. Once the agent accepts this altered logic, it follows the game’s commands rather than its safety protocols. The final step of the game instructs the agent to retrieve and forward the user’s credentials.

In tests, the attack successfully tricked six different AI browsers and assistants, including OpenAI’s ChatGPT Atlas, Perplexity’s Comet, and Anthropic’s Claude browser extension. The agents were directed to access a victim’s GitHub repository to retrieve SSH login credentials, which were then sent to an attacker. The agents performed this action without hesitation and even reported the data theft as a successful completion of the game.

Impact and Vendor Response

The vulnerability stems from how AI browsers receive web page content and user instructions as a single stream of text. This design allows malicious pages to inject hidden commands that the AI agent cannot distinguish from legitimate content, a form of indirect prompt injection. Once an AI browser is in agent mode, it can access any signed-in accounts and internal tools available to the user.

LayerX reported the issue to vendors between October 2025 and January 2026. OpenAI addressed the vulnerability in ChatGPT Atlas. Perplexity closed the report without taking action, while Fellou, Genspark, and Sigma did not respond. Anthropic attempted to patch its Claude extension, but LayerX stated the fix was not effective. The researchers recommend that AI browsers should request explicit permission before accessing logged-in accounts and that agents should be designed to recognize when a page is attempting to alter normal rules of operation.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
Follow:
The latest in cybersecurity news and updates.