Skip to content

BioShocking: Prompt-Injection Attack Disables AI Browser Filters

In a nutshell: A newly documented prompt-injection technique manipulates AI browsers through fictional game scenarios to disable their security filters and steal credentials; OpenAI has patched, other vendors have not.

Security researchers from LayerX have documented a prompt-injection attack called BioShocking that causes AI-powered browsers to ignore their security barriers and exfiltrate sensitive user data such as passwords. The attack exploits fictional game scenarios to train AI agents to disregard security rules.

LayerX has uncovered a new attack method against AI browsers known as BioShocking. The method works through fictional game scenarios that manipulate AI-powered browsers and bypass their internal security barriers. The researchers developed a proof-of-concept in which a malicious webpage presents a puzzle game styled after the video game BioShock.

The core problem lies in the training logic of the game scenario: the AI agent is conditioned by the game to accept actions that are faulty or normally blocked. LayerX describes it this way: “Once the agents understood the rules and learned that ‘wrong’ actions were acceptable, they were no longer bound by reality.” In the final step, the agent is instructed to access a GitHub repository to copy and share passwords and sensitive data stored there. All six AI browser agents tested failed to recognize this final task as a violation of their security barriers.

LayerX tested the attack against six AI browser products: ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic’s Claude Chrome extension. The researchers notified the affected companies in October of the previous year. OpenAI subsequently implemented an effective mitigation measure for ChatGPT Atlas. Anthropic’s patch for the Chrome plugin proved ineffective against the proof-of-concept, while Perplexity AI closed the report without implementing corrective measures. Three vendors have not yet responded.

Share on: