Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

‘BioShocking’ Attack Tricks AI Browsers Into Stealing Credentials

Researchers show how context manipulation can cause agentic browsers to abandon safety guardrails and exfiltrate sensitive credentials.

AI Threats

Researchers from cybersecurity firm LayerX are warning that several agentic browsers can be manipulated to abandon their safety guardrails and perform malicious actions.

To demonstrate the weakness, the researchers created a web page containing a puzzle that the AI browsers were asked to solve. Inspired by the BioShock video game, the puzzle led to a manipulation attack called BioShocking.

Per the game’s rules, incorrect actions were deemed acceptable, and the tested agentic browsers, namely ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and Claude Chrome, quickly learned that.

After learning that an incorrect answer was the key to continue playing the game, the agents started reasoning out of reality, and eventually performed a nefarious action when asked to navigate to a URL and retrieve a textbox.

“In the game, it turns out that /code redirects to the victim’s employer work GitHub repository. In this case, the malicious instructions fetched sensitive SSH login credentials,” LayerX explains.

While in the controlled test environment, the file was harmless, the attack technique could be abused in real-world scenarios to direct the agent anywhere in the browser session, including other tabs, authenticated repositories, or internal tools.

Advertisement. Scroll to continue reading.

While winning the game means exfiltrating user credentials, the AI browser does not view the action as malicious and instead celebrates its victory.

“The root cause of BioShocking is that AI browsers act within a context, but that context can be manipulated. If you convince an agent that it’s playing a game, then it will apply game logic – not real-world safety logic – to whatever it does,” LayerX says.

Vendors can address the issue by requesting confirmation for sensitive operations, performing context checks, and limiting the scope of agent actions. Users should determine what their AI browser can see and to revoke its access when the session is closed.

LayerX says it reported the findings to all six vendors. OpenAI patched the issue, Anthropic’s patch failed, Perplexity AI ignored the report, and Fellou, Genspark, and Sigmabrowser OU never responded.

Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay

Related: Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines

Related: Microsoft Adds New Teams Controls to Block Unauthorized AI Bots From Meetings

Related: Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors

Related: The AI Token Costs That Can Break Cybersecurity

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.