Security researchers just found a strange way to trick AI browsers into handing over your passwords. They managed to trick AI browser agents into exposing sensitive data like saved passwords, session cookies, and private tokens by disguising the theft as part of a harmless “game.”
The technique is called BioShocking, named after the popular video game BioShock, where a brainwashed character is manipulated into believing a false reality. Once an AI browser falls for the same trick, it stops following its own safety rules entirely.
How BioShocking tricks AI into breaking its own rules
AI browsers are built with guardrails to avoid exposing your data, but researchers at LayerX found a clever workaround. The attack starts on a malicious webpage with hidden prompts telling the AI it has entered a game to find secret strings. Since AI browsers rely heavily on context, that framing changes everything.
LayerX
The page presents a BioShock-style puzzle where wrong answers earn points, encouraging logic like two plus two equals five. Once the AI accepts that logic, its safety rules weaken. The AI was told the next step of the game was to find and copy a hidden code from another page which secretly led straight to the user’s private login information.
In short, a request for saved passwords, which is normally blocked, gets reframed as just another game objective, letting the AI hand over sensitive data without recognizing the risk.
Which AI browsers fell for the BioShocking attack?
All six AI browsers that were tested copied real credentials and sent them straight to the attacker, then treated the whole thing as a win. The proof of concept worked against ChatGPT Atlas, Perplexity’s Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic’s Claude extension for Chrome.
LayerX notified every vendor of its findings between October 2025 and January 2026, before going public. OpenAI fixed the issue in ChatGPT Atlas, while Perplexity closed the report without acting on it. Anthropic attempted a fix for its Claude extension, but LayerX says the patch did not hold up. Meanwhile, Fellou, Genspark, and Sigma never responded.
As AI browsers grow more common, BioShocking shows how easily they can be talked into making the wrong call.
