Particle.news

BioShocking Proof Shows AI Browsers Can Be Tricked Into Leaking Credentials

A game-like webpage can reframe an agent’s context so it reads and copies data from accounts the user is signed into.

Overview

  • Security firm LayerX published a proof‑of‑concept called BioShocking in late June that tricked six agentic AI browsers and plugins into copying credentials during tests without performing remote exfiltration.
  • The attack uses an indirect prompt injection: a malicious page rewards ‘wrong’ answers to teach the agent that normal rules do not apply and then instructs the agent to fetch data from signed‑in resources like a GitHub repo.
  • LayerX reported the issue to vendors between October 2025 and January 2026 and says vendor responses have been uneven, with OpenAI deploying a working fix for ChatGPT Atlas while other vendors remain unpatched or have disputed or ineffective patches.
  • Researchers urge immediate engineering and UX changes such as explicit confirmation prompts before reading signed‑in accounts, strict scope limits for agents, and stronger checks for pages that claim normal rules do not apply.
  • Until robust fixes are in place, users and security teams should treat agent mode as a separate account with least‑privilege access and restrict AI browser access to sensitive services to reduce the risk of credential exposure.