A newly disclosed attack technique dubbed “BioShocking” is raising concerns across the cybersecurity community after researchers demonstrated that AI-powered browsers can be manipulated to leak sensitive data and bypass built-in safety controls.
Security researchers at LayerX revealed that attackers can “game” AI-driven browsers into executing malicious actions by altering their perception of reality.
The attack exploits how large language models (LLMs) rely on contextual understanding to enforce safety guardrails.
By manipulating that context, threat actors can trick AI agents into performing actions they would normally not, such as exposing credentials, copying sensitive code, or executing unauthorized commands.
The agent is faced with a seemingly simple math question (source: Layerxsecurity)
The technique has been successfully tested against several popular AI-enabled browsing tools, including ChatGPT Atlas, Perplexity Comet, Claude Chrome plugin, and others. All affected vendors were notified.
BioShocking Attack
The concept behind BioShocking is inspired by the BioShock video game, where characters are controlled through altered perception and subtle cues.
Similarly, this attack uses prompt injection and context manipulation to “convince” AI systems that they are operating in a fictional or game-like environment where normal rules do not apply.
Once the AI accepts this false context, it begins to ignore its safety restrictions. As a result, it may comply with malicious instructions such as retrieving sensitive information or interacting with secure systems.
After getting the right answer with “5”, the agent is instructed to navigate to /code and copy from a textbox (source: LayerXsecurity)
For example, an attacker can embed a malicious puzzle or game within a webpage. When a user asks their AI browser to interact with the environment, the agent gradually adapts to the environment’s altered logic.
LayerX demonstrated the attack using a BioShock-themed puzzle. The AI agent was initially presented with a simple math question.
However, the game rewarded incorrect answers, such as “2 + 2 = 5.” Over time, the AI adapted to this new “reality,” abandoning standard logic. In the final stage, the agent was instructed to navigate to a specific path and copy data.
The username and password were shared with the attacker, allowing the game to be completed (source : Layerxsecurity )
Unknown to the AI, this path redirected to a private GitHub repository containing sensitive credentials. The AI proceeded to extract and share the data without triggering any security warnings.
In a real-world scenario, such redirection could target email accounts, internal dashboards, or password managers accessible within the user’s session.
The test used a plaintext file, but a real attack could target open tabs, repositories, or internal tools. (source::Layerxsecurity )
The researchers confirmed successful exploitation across multiple agentic browsers and plugins, including:
ChatGPT Atlas (OpenAI) – Fixed.
Comet (Perplexity AI) – Closed/ignored.
Claude Chrome Plugin (Anthropic) – Patch unsuccessful.
Fellou, Genspark, Sigma Browser – No response.
This broad impact highlights systemic weaknesses in how AI agents interpret and enforce contextual boundaries.
The root issue lies in the AI’s reliance on context as truth. If attackers can manipulate that context, they effectively control the AI’s decision-making process. This creates a new attack surface where traditional safeguards may fail silently.
Researchers recommend several defenses for vendors: Require explicit user confirmation before accessing sensitive data. Detect and flag unrealistic or contradictory contexts. Restrict agent capabilities by default, especially in authenticated sessions.
For users, limiting AI access to sensitive environments and logging out of critical accounts during AI browsing sessions can reduce exposure.
BioShocking demonstrates a critical shift in AI security risks. Rather than breaking systems directly, attackers can now reshape how AI perceives reality, turning trusted tools into potential vectors for data exfiltration.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post New BioShocking Attack Allows Attackers to Trick AI Browser and Leak Credentials appeared first on Cyber Security News.
