Researchers from cybersecurity firm LayerX are warning that several agentic browsers can be manipulated to abandon their safety guardrails and perform malicious actions.
To demonstrate the weakness, the researchers created a web page containing a puzzle that the AI browsers were asked to solve. Inspired by the BioShock video game, the puzzle led to a manipulation attack called BioShocking.
Per the game’s rules, incorrect actions were deemed acceptable, and the tested agentic browsers, namely ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and Claude Chrome, quickly learned that.
After learning that an incorrect answer was the key to continue playing the game, the agents started reasoning out of reality, and eventually performed a nefarious action when asked to navigate to a URL and retrieve a textbox.
“In the game, it turns out that /code redirects to the victim’s employer work GitHub repository. In this case, the malicious instructions fetched sensitive SSH login credentials,” LayerX explains.
While in the controlled test environment, the file was harmless, the attack technique could be abused in real-world scenarios to direct the agent anywhere in the browser session, including other tabs, authenticated repositories, or internal tools.
While winning the game means exfiltrating user credentials, the AI browser does not view the action as malicious and instead celebrates its victory.
“The root cause of BioShocking is that AI browsers act within a context, but that context can be manipulated. If you convince an agent that it’s playing a game, then it will apply game logic – not real-world safety logic – to whatever it does,” LayerX says.
Vendors can address the issue by requesting confirmation for sensitive operations, performing context checks, and limiting the scope of agent actions. Users should determine what their AI browser can see and to revoke its access when the session is closed.
LayerX says it reported the findings to all six vendors. OpenAI patched the issue, Anthropic’s patch failed, Perplexity AI ignored the report, and Fellou, Genspark, and Sigmabrowser OU never responded.
Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay

Related: Microsoft Adds New Teams Controls to Block Unauthorized AI Bots From Meetings
Related: Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors
