AI browsers promise a future where software doesn’t just display webpages, but actively completes tasks on our behalf. Open a few tabs, ask an AI agent to book a flight, summarize documents, compare products, or fetch information from a work repository, and it does the heavy lifting for you. But as we’ve highlighted repeatedly in recent weeks, the rush toward agentic browsing is creating an entirely new security battleground.

Just two weeks ago, we reported how security researchers found that Mozilla’s AI-powered Firefox experiments could be manipulated into exposing sensitive user information through prompt injection attacks. Now, researchers say they have discovered yet another way to manipulate AI browsers into abandoning their safety guardrails altogether.

Researchers create “BioShocking” attack against AI browsers

Security researchers at LayerX have published a new report detailing what they call BioShocking, a technique that manipulates AI browsers into believing they’re operating inside a game rather than the real world. The name comes from the BioShock video game series, where characters can be psychologically manipulated into carrying out actions they would otherwise refuse.

According to the researchers, the same concept can be applied to AI agents. Rather than directly instructing AI browsers to steal credentials or exfiltrate sensitive data, requests that should normally trigger safety protections, the attacker gradually convinces the AI that it’s participating in a fictional scenario where normal rules no longer apply.

Once that mental framework is established, the AI becomes significantly more willing to perform actions it would ordinarily reject. LayerX tested the attack against six AI browsers and browser extensions:

ChatGPT Atlas (OpenAI)
Comet (Perplexity)
Claude Chrome Extension (Anthropic)
Fellou
Genspark Browser
Sigma Browser

According to the researchers, every tested product was successfully manipulated during the proof-of-concept exercise.

How the attack works

The attack itself is surprisingly simple. Researchers created a webpage containing a puzzle game. The first challenge intentionally breaks logic by rewarding incorrect answers. For example, users are expected to answer “2 + 2 = 5” instead of 4. The AI initially reasons correctly but eventually adapts to the game’s rules after discovering that conventional logic no longer leads to success.

After convincing the AI that it is operating under an alternate set of rules, the game instructs the browser agent to visit another page and copy information from a textbox. In the demonstration environment, that page redirected to an authenticated GitHub repository containing login credentials. Instead of recognizing the action as credential theft or sensitive data extraction, the AI treated it as another step in solving the game.

Researchers showed the agent willingly retrieving the information and ultimately sharing it as part of the puzzle solution. The browser essentially prioritized “winning” over maintaining its security boundaries. LayerX argues that the attack succeeds because AI agents trust their operating context. If an attacker successfully manipulates that context, they can manipulate the AI’s behavior as well.

A familiar pattern in AI browser security

What makes this report particularly notable is how closely it aligns with vulnerabilities we’ve already seen emerge across the AI browser ecosystem. Earlier this month, security researchers working with Brave demonstrated how prompt injection attacks could manipulate AI agents into exposing sensitive information through specially crafted webpages. We’ve also seen another Mozilla-related issue showing how browser-integrated AI assistants could be persuaded to reveal email contents and login credentials when presented with malicious instructions hidden inside webpages.

The common thread across all of these incidents is not a traditional browser vulnerability. Instead, attackers are targeting the AI’s decision-making process itself. As AI agents gain deeper access to browser sessions, authentication tokens, repositories, emails, calendars, and internal enterprise systems, manipulating their reasoning becomes increasingly attractive to attackers.

OpenAI, Perplexity, and Anthropic under the spotlight

The highest-profile names affected by the BioShocking research are undoubtedly OpenAI, Perplexity, and Anthropic. ChatGPT Atlas, OpenAI’s browser agent, was successfully exploited during testing. However, LayerX’s disclosure table indicates that OpenAI has since fixed the issue following responsible disclosure.

Perplexity’s Comet browser was also successfully manipulated. According to LayerX, Perplexity closed the report without implementing a fix, categorizing the disclosure as ignored. Anthropic’s Claude Chrome extension appears to be in a more complicated position. Researchers state that Anthropic attempted a mitigation, but the patch ultimately failed to prevent the attack.

AI-browsers-leak-user-credentials-vendor-disclosure

Those disclosure outcomes are likely to attract significant scrutiny, especially as AI browser vendors continue marketing their products as productivity tools capable of handling increasingly sensitive tasks.

AI browsers are racing ahead of security

The timing of this discovery is especially significant. AI browsers are currently experiencing their fastest period of growth. Perplexity’s Comet has generated considerable attention, while numerous alternatives continue emerging as companies attempt to define the next generation of browsing. The industry’s focus is understandably centered on capabilities—more automation, deeper integrations, better reasoning, and increasingly autonomous agents.

But reports like BioShocking serve as a reminder that every new capability introduces new attack surfaces. Traditional browser security focused on protecting users from malicious websites. AI browsers security must also protect users from malicious ideas.

That distinction may sound subtle, but it fundamentally changes the threat model. As AI agents gain permission to interact with repositories, corporate systems, password managers, and personal accounts, convincing them to make bad decisions could become just as dangerous as exploiting software vulnerabilities. For now, LayerX recommends that users carefully limit what their AI browser can access and remain cautious when granting agentic permissions.

AI browsers may represent the future of web navigation, but their security guardrails are still very much a work in progress.

The post ChatGPT Atlas & Perplexity Comet AI browsers tricked into leaking user credentials via a puzzle game appeared first on PiunikaWeb.