Affiliate links on Android Authority may earn us a commission. Learn more.
AI browsers were tricked into revealing passwords with a shockingly simple approach
3 hours ago
- LayerX found that AI browsers could be tricked into exposing sensitive data by making the request appear to be a game.
- The technique, named BioShocking, uses fake rules to take the agents out of their context and ignore their guardrails.
- All six tested tools leaked data, and most of the vendors haven’t yet fixed the issue.
There’s a reason many of us are still a bit suspicious of AI. You’d hope an AI browser couldn’t be tricked into giving your sensitive information away at all, but you’d at least expect any successful attack to be a complicated act of genius. However, according to new research, it may be as simple as convincing the AI that it’s playing a game.
What's your biggest concern about AI handling app actions?
Security firm LayerX has detailed a technique it has named BioShocking in its research (via Digital Trends). The name is a nod to BioShock, where a character is manipulated into accepting a false reality. Here, a malicious webpage frames the AI browser’s task as a puzzle, encouraging it to follow strange rules as part of the game.
That starts with the AI being told that 2 + 2 does not equal 4, and that wrong answers are actually correct within the game. Once the agent accepts that it is no longer operating in a normal reality, its guardrails appear to go out of the window. The next instruction is then presented as another game objective: find and copy a “hidden code” from another page.
As you may have already guessed, the code is actually sensitive user data, such as saved passwords, session cookies, or private tokens. LayerX says the tested agents copied the data and sent it back to the attacker as though they had simply completed the challenge.
The proof of concept was tested against ChatGPT Atlas, Perplexity Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic’s Claude extension for Chrome. LayerX says all six exposed sensitive information during testing.
LayerX says it disclosed the issue to all six vendors between October 2025 and January 2026, and the responses haven’t been as reassuring as you might hope. OpenAI fixed the issue in ChatGPT Atlas, while Anthropic attempted a fix for its Claude extension, though LayerX says that the patch failed. Perplexity reportedly closed the issue without making a fix, while Fellou, Genspark, and Sigma did not respond.
AI browsers are designed to act for you, and that makes it much more important that they can tell the difference between a harmless puzzle and a very real data grab. Personally, research like this means I’m in no hurry to switch to one just yet.
Thank you for being part of our community. Read our Comment Policy before posting.