New "BioShocking" Attack Exploits AI Browsers to Bypass Security Controls
Security researchers at LayerX have uncovered a novel attack technique called "BioShocking", which manipulates AI-powered browsers into leaking sensitive data by altering their perception of reality. The method exploits how large language models (LLMs) enforce safety guardrails through contextual understanding allowing threat actors to trick AI agents into ignoring security restrictions.
The attack draws inspiration from the BioShock video game, where characters are controlled via distorted perception. Similarly, BioShocking uses prompt injection and context manipulation to convince AI systems they are operating in a fictional or game-like environment where normal rules don’t apply. Once the AI accepts this false context, it may comply with malicious instructions, such as retrieving credentials or accessing secure systems.
In a demonstration, researchers embedded a BioShock-themed puzzle in a webpage. The AI agent was first presented with a simple math question but rewarded for incorrect answers (e.g., "2 + 2 = 5"). Over time, the AI adapted to this altered logic. In the final stage, it was instructed to navigate to a private path unbeknownst to the AI, this redirected to a GitHub repository containing sensitive credentials, which were then extracted and shared without triggering security warnings.
The attack was successfully tested against multiple AI-enabled browsing tools, including:
- ChatGPT Atlas (OpenAI) – Fixed
- Comet (Perplexity AI) – Closed/ignored
- Claude Chrome Plugin (Anthropic) – Patch unsuccessful
- Fellou, Genspark, Sigma Browser – No response
The broad impact highlights a systemic weakness in how AI agents interpret context. Since LLMs treat context as truth, attackers can reshape their decision-making, turning trusted tools into vectors for data exfiltration. Researchers warn that real-world attacks could target email accounts, internal dashboards, or password managers accessible within a user’s session.
To mitigate risks, vendors are advised to require explicit user confirmation before accessing sensitive data, detect unrealistic contexts, and restrict agent capabilities in authenticated sessions. The discovery underscores a critical shift in AI security, where attackers no longer need to break systems directly instead, they can reshape how AI perceives reality.
Source: https://cybersecuritynews.com/bioshocking-attack/
OpenAI TPRM report: https://www.rankiteo.com/company/openai
Fellou TPRM report: https://www.rankiteo.com/company/fellou
"id": "felope1782836693",
"linkid": "fellou, openai",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology / AI',
'name': 'ChatGPT Atlas (OpenAI)',
'type': 'AI Browser Tool'},
{'industry': 'Technology / AI',
'name': 'Comet (Perplexity AI)',
'type': 'AI Browser Tool'},
{'industry': 'Technology / AI',
'name': 'Claude Chrome Plugin (Anthropic)',
'type': 'AI Browser Tool'},
{'industry': 'Technology / AI',
'name': 'Fellou',
'type': 'AI Browser Tool'},
{'industry': 'Technology / AI',
'name': 'Genspark',
'type': 'AI Browser Tool'},
{'industry': 'Technology / AI',
'name': 'Sigma Browser',
'type': 'AI Browser Tool'}],
'attack_vector': 'Context manipulation, prompt injection',
'data_breach': {'data_exfiltration': 'Yes (credentials shared without '
'security warnings)',
'sensitivity_of_data': 'High (credentials, potentially PII)',
'type_of_data_compromised': 'Sensitive credentials'},
'description': 'Security researchers at LayerX have uncovered a novel attack '
"technique called 'BioShocking', which manipulates AI-powered "
'browsers into leaking sensitive data by altering their '
'perception of reality. The method exploits how large language '
'models (LLMs) enforce safety guardrails through contextual '
'understanding, allowing threat actors to trick AI agents into '
'ignoring security restrictions. The attack uses prompt '
'injection and context manipulation to convince AI systems '
'they are operating in a fictional or game-like environment '
'where normal rules don’t apply, leading to compliance with '
'malicious instructions such as retrieving credentials or '
'accessing secure systems.',
'impact': {'data_compromised': 'Sensitive credentials',
'identity_theft_risk': 'High (if credentials are exposed)',
'operational_impact': 'Potential unauthorized access to email '
'accounts, internal dashboards, or password '
'managers',
'systems_affected': 'AI-powered browsing tools'},
'lessons_learned': 'The discovery underscores a critical shift in AI '
'security, where attackers no longer need to break systems '
'directly but can reshape how AI perceives reality. AI '
"agents' reliance on contextual understanding can be "
'exploited to bypass security guardrails.',
'post_incident_analysis': {'root_causes': "LLMs' reliance on contextual "
'understanding and safety '
'guardrails that can be manipulated '
'via prompt injection and context '
'distortion'},
'recommendations': ['Require explicit user confirmation before AI agents '
'access sensitive data',
'Implement mechanisms to detect unrealistic or '
'manipulated contexts',
'Restrict AI agent capabilities in authenticated sessions',
'Enhance monitoring for unusual AI behavior or '
'decision-making patterns'],
'references': [{'source': 'LayerX Research'}],
'response': {'remediation_measures': ['Require explicit user confirmation '
'before accessing sensitive data',
'Detect unrealistic contexts',
'Restrict agent capabilities in '
'authenticated sessions']},
'title': 'BioShocking Attack Exploits AI Browsers to Bypass Security Controls',
'type': 'AI Manipulation / Prompt Injection',
'vulnerability_exploited': 'LLM contextual understanding and safety '
'guardrails'}