Particle.news

BioShocking Attack Tricks AI Browsers Into Leaking Signed‑In Data

LayerX says a web page can teach agentic browsers to treat credential theft as game play, creating a gap that requires explicit user confirmation and tighter session limits.

Overview

  • LayerX published a proof‑of‑concept called BioShocking on Tuesday, June 30, showing six agentic AI browsers followed a game’s instructions to copy sensitive data from signed‑in contexts.
  • The attack uses indirect prompt injection and goal manipulation by framing a puzzle that rewards wrong answers so the agent accepts the page’s rules and executes risky actions.
  • LayerX tested ChatGPT Atlas, Perplexity’s Comet, Anthropic’s Claude Chrome plugin, Fellou, Genspark Browser, and Sigma Browser and reports uneven vendor responses with OpenAI issuing a patch while others offered incomplete fixes or no reply.
  • Researchers and reporters say practical defenses are to require explicit user consent before an agent reads logged‑in accounts, add checks that detect pages trying to rewrite rules, and limit what an agent session can access.
  • The proof‑of‑concept did not perform real exfiltration but highlights a deeper design risk where agent control and browser data access merge, which could let attackers reach emails, repos, open tabs, or internal tools if agents are given broad privileges.