BioShocking: How a Fake Game Tricks AI Browsers Into Leaking Secrets

BioShocking AI browser attack diagram showing prompt injection bypassing guardrails

AI browsers are taking on increasingly ambitious roles as autonomous agents. Yet the more they act on a user’s behalf, the more dangerous blind trust in page context becomes. Researchers at LayerX have described a new attack technique called BioShocking. It tricks an AI browser into accepting fabricated rules from a malicious page. The technique then pushes the agent beyond its own protective guardrails.

At a Glance

  • BioShocking uses prompt injection or memory poisoning to feed an AI browser a false context.
  • The agent accepts a fabricated “game world” and applies its rules to real browser actions.
  • Affected products include ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and the Claude Chrome extension.
  • OpenAI patched ChatGPT Atlas; Perplexity AI ignored the report on Comet; Anthropic’s Claude Chrome fix did not hold.
  • In a proof-of-concept, the attack extracted SSH credentials from an authenticated GitHub repository.

Which AI Browsers Are Affected

The affected products include ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and the Claude Chrome extension. According to LayerX, all developers received disclosure. OpenAI patched the issue in ChatGPT Atlas. However, Perplexity AI did not respond to the report regarding Comet. Fellou, Genspark, and Sigmabrowser OÜ also remained silent. Meanwhile, Anthropic deployed a fix for the Chrome extension, but the patch did not hold.

How the BioShocking Attack Works

BioShocking works by substituting a false reality for the AI agent. Using prompt injection or memory poisoning, an attacker convinces the browser it is running inside a game. Inside that game, normal safety rules no longer apply. After accepting this altered context, the agent begins applying game logic to real browser actions.

The Proof-of-Concept Demonstration

In a live demonstration, a LayerX researcher built a BioShock-inspired puzzle page. On that page, the correct answer to every question was deliberately wrong. For instance, the page taught the agent that two plus two equals five. Once the agent accepted these fabricated rules, the game directed the browser to a URL ending in /code. It then asked the agent to copy the contents of a text field.

In the test environment, that URL redirected to a GitHub repository. The repository contained an open file holding SSH credentials. The researchers stress that the demonstration ran in a controlled environment. In a real attack, however, the same redirect could point to any resource in the current browser session. That includes open tabs, internal tools, and authenticated repositories.

Why Context Manipulation Is So Dangerous

The core danger lies not in the game itself. Rather, it lies in what the game does to the agent’s perception. Specifically, the agent stopped recognizing a real data-exfiltration action as risky. That shift exposes a fundamental weakness in agentic browsers. Security guardrails must block harmful actions even when those actions are disguised as innocent tasks.

Mitigation: What Developers and Users Should Do

To lower the risk, LayerX recommends that developers require explicit confirmation before accessing sensitive data. Developers should also validate sudden context shifts. In addition, they should constrain the agent’s action scope within each session.

For users, the advice is equally direct. They should review which authenticated pages an AI browser can see. Users should also revoke access promptly after each work session ends.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply