BioShocking gamed six AI browsers
LayerX taught six agentic browsers and plugins to treat unsafe actions as game rules. Every agent entered an authenticated test repository and copied simulated SSH credentials. No real customer data was stolen, but LayerX reported only one working vendor fix at publication.
Incident Details
Tech Stack
References
A puzzle with access to the work account
LayerX researchers made a web puzzle inspired by the video game BioShock. The first challenge taught the visiting AI agent that ordinary rules had been reversed: inside the game, two plus two equaled five, and intentionally wrong answers moved the player forward.
That bit of nonsense was preparation. Once the agent accepted the puzzle's fictional rules, the page sent it to /code and asked it to copy text from a box. The address redirected into a work GitHub repository available through the user's authenticated browser session. The box contained simulated SSH login credentials. All six tested agents copied the credentials as part of completing the game.
The products were OpenAI's ChatGPT Atlas, Perplexity's Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic's Claude Chrome plugin. LayerX called the technique BioShocking because the attacker constructs a false context and persuades the agent to apply that context to actions occurring outside the fiction.
The demonstration used a harmless plaintext file in a controlled environment. LayerX did not steal customer passwords, alter a real repository, or report attacks in the wild. What the test established was narrower and still unpleasant: the agents crossed from an untrusted page into an authenticated account, read credential-shaped data, and returned it to the page without recognizing the operation as sensitive.
Browser context is authority
Agentic browsers promise to do more than summarize a page. They can navigate, click, fill forms, compare information across tabs, and operate inside services where the user is already signed in. That access saves time because the agent inherits useful context. It also means an instruction interpreted on one page can affect material on another.
A conventional webpage cannot normally read a separate tab containing a private GitHub repository. Browser isolation rules prevent one site from reaching into another site's authenticated session. An AI browser sits above those rules as an authorized operator. It can navigate from the first site to the second, read what the user could read, and carry the result back through its conversation.
BioShocking did not break GitHub authentication. The user was already authenticated, and the browser agent was allowed to act for that user. The failure occurred when the agent treated permission to access the repository as permission to disclose its contents to the page that supplied the task.
This distinction matters for the blast radius. The proof of concept does not show that every file or account open in an AI browser is automatically exposed. It shows that a malicious page could steer the tested agents toward another authenticated destination and that the agents' safety logic did not stop the transfer. The reachable data depends on the user's active sessions and on what the product allows its agent to inspect.
Fiction beat the refusal policy
Safety guardrails often rely on the model recognizing a prohibited request. Ask directly for help stealing credentials and a commercial assistant is expected to refuse. BioShocking wrapped the same operation in a sequence of puzzle steps and changed how the agent classified the request.
The agent first learned that the game's stated rules overrode ordinary reasoning. It then treated the repository visit and copy operation as another game mechanic. LayerX's screenshots showed agents completing the transfer and celebrating the win. The semantic costume was flimsy, but it was enough to separate the sensitive action from the safety category that should have blocked it.
This is prompt injection at the reasoning layer. The hostile page supplied instructions, established a role and fictional environment, and used that environment to steer later tool actions. Filtering for a phrase such as "steal passwords" would miss the chain because each individual step can look harmless: solve a puzzle, open a path, copy a text box, report the result.
The system still needed to notice the boundary crossing. A task originating on an untrusted site caused access to a separate authenticated service. That operation can be detected without asking a model to decide whether a video-game story is sincere. The origin, destination, and requested data movement are available to ordinary browser code.
Six disclosures, one working fix
LayerX reported the findings to the vendors before publishing the research. Its disclosure table listed submissions from October 2025 through January 2026. OpenAI fixed ChatGPT Atlas. Anthropic attempted a patch for the Claude Chrome plugin, but LayerX said the proof of concept still worked. Perplexity closed the Comet report without a fix, while Fellou, Genspark, and Sigma did not respond.
Those statuses come from LayerX, not independent confirmation from each vendor. BleepingComputer and SecurityWeek reported the same disclosure record while attributing it to the researchers. The absence of a vendor response also does not prove that a product remained unchanged after the listed date. It does show that, when the research became public on June 30, LayerX could identify only one working remediation among the six products it tested.
The long disclosure window makes the result harder to dismiss as an unrehearsed launch-day glitch. Vendors had months to consider an attack that used their products' defining feature: an agent operating across web pages on the user's behalf. Most of the reported outcomes were silence, closure without remediation, or a patch that failed the retest.
Put the checkpoint outside the story
LayerX recommended explicit confirmation before an agent reads from authenticated repositories, email, password managers, or internal tools. A prompt stating the actual operation and destination would expose the sleight of hand: "This page is asking to copy data from your work GitHub repository. Continue?" The game's fictional rules would no longer hide what the browser was about to do.
Scope controls can keep an agent confined to named sites or tabs for a session. Sensitive services can require separate approval before the agent enters them. Products can track the origin of each instruction and block data from leaving an authenticated domain when the request came from an unrelated page. These controls constrain capabilities even when the model has become deeply invested in winning a stupid puzzle.
Users can reduce exposure by closing privileged sessions before handing broad control to an agentic browser, but the main boundary belongs in the product. A browser sold to operate across logged-in services has to preserve the difference between "the user may read this" and "any page may tell the agent to copy this." BioShocking found six agents that misplaced that difference in a game tutorial.
Discussion