AI browsers promise to help users get things done faster. BioShocking shows how the same convenience can lead to a credential leak.
Security firm LayerX found that attackers could trick six AI browsers and assistants into copying sensitive user data and sending it away by convincing the agents they were playing a game. The attack matters because AI browsers in agent mode can click, read, and act inside accounts where users already have active sessions, creating a new access risk when guardrails fail.
The bigger problem is not just that attackers can fool an AI agent. The agent may also have access to work accounts, repositories, open tabs, internal tools, and credentials while reading instructions from a malicious web page.
How the attack works
The Hacker News reported that LayerX developed BioShocking and tested it against six AI browsers and assistants, including OpenAI’s ChatGPT Atlas, Perplexity’s Comet, and Anthropic’s Claude browser extension.
The attack relies on indirect prompt injection, where malicious instructions hide inside web content the AI agent reads. The web page and the user’s request can appear to the agent as a single stream of text, making it harder to distinguish a legitimate task from a hostile instruction.
In LayerX’s proof of concept, the malicious page presented itself as a puzzle game.
The “rules” rewarded wrong answers, such as accepting that 2 + 2 = 5. Once the agent accepted that false game logic, it followed the next instruction as part of the game instead of treating it as a security risk.
The final task asked the agent to find and copy a hidden code. In the test, that “code” came from sensitive data in a work GitHub repository. The agent copied SSH credentials and sent them back to the attacker.
Agent mode raises the stakes
Android Authority said that LayerX tested ChatGPT Atlas, Perplexity Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic’s Claude extension for Chrome. According to LayerX, all six exposed sensitive information during testing.
The risk comes from what AI browsers can do. A regular browser mostly waits for the user to click, copy, type, or submit information. An AI browser in agent mode can do those things on the user’s behalf.
That makes the browser more useful, but also more dangerous when it trusts the wrong context.
If the user is signed in to GitHub, email, cloud dashboards, internal portals, or other work apps, the agent may access those places during the session.
For security teams, this means an AI browser should not look like a harmless productivity add-on. In agent mode, it can behave more like a delegated user account with access to whatever the user can reach.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Vendors gave uneven responses
Infosecurity Magazine noted that LayerX disclosed the issue to vendors between October 2025 and January 2026. OpenAI fixed the issue in ChatGPT Atlas, while Anthropic attempted a fix for its Claude extension, though LayerX said the patch did not hold.
Perplexity reportedly closed the issue without taking action, while Fellou, Genspark, and Sigma did not respond, according to LayerX. Infosecurity Magazine said it had reached out to the vendors individually.
LayerX stressed that its test used a harmless plaintext file, but the same method could point an agent to private repositories, internal tools, session data, or other sensitive pages.
The risk becomes more serious when the agent can reach real accounts. The same prompt-injection trick could turn a fake puzzle into data theft.
What users should check before using agent mode
LayerX recommended that AI browser makers require user confirmation before an agent reads from logged-in accounts. A prompt asking whether the agent should copy data from a GitHub repository, for example, could break the attack chain before credentials leave the account.
The company also called for agents to detect when a page tries to rewrite normal rules and for users to set hard limits on what an agent can access. Those controls would help separate a harmless web task from a request that touches private or work data.
For individual users, the safest approach is to limit what the browser can see before turning on agent mode. Users should sign out of sensitive accounts, close tabs the task does not need, and avoid agent mode when repositories, admin consoles, password managers, or private dashboards remain open.
Organizations testing AI browsers should take the same approach at scale. Agent mode should have the narrowest access needed for the task, not a standing pass to every account the user has open.
Security teams should set rules for AI browser use, especially around internal apps, repositories, admin tools, customer data, and credentials.
BioShocking is a reminder that AI browser security is not only about what the model says. It is also about what the browser can reach, copy, and send once it starts acting on the user’s behalf.
Related reading: See why a 24 billion-record leak is putting renewed attention on passwords, emails, and login data.