As AI browsers and assistants with autonomous web browsing and task execution capabilities become increasingly popular, a new security vulnerability targeting this field is emerging. Developers at cybersecurity company LayerX recently revealed a new proof-of-concept attack called "BioShocking."By implanting a dystopian interactive puzzle in the style of the classic game "BioShock" into a web page, hackers can successfully "play" the AI browser to bypass the built-in security fence and then obediently hand over the user's sensitive login credentials.

LayerX’s research team explained that the core of the “BioShocking” attack is to exploit the internal reasoning logic vulnerability of the large language model (LLM). At this stage, when AI browsers read web page content and receive security instructions, they often process it as a single text stream, which makes it unable to accurately distinguish between "ordinary game content on the web page" and "malicious system control commands."
In this test, hackers built a puzzle web page full of "BioShock" underwater city "Rapture" style. After the game starts, the AI will be induced to answer a simple math question (for example, it is required to admit that 2+2=5 is the correct answer). Once the AI accepts the rules of the game and begins to integrate into this fictional storyline, it will determine that it is in a "non-real world" game. The researchers pointed out that as long as the AI is convinced that it is playing a game, it will switch to applying "game logic" to handle all subsequent actions, leaving behind the "safety logic" in the real world.
The final step in the puzzle then logically instructs the AI to grab and copy the user’s credentials. Since the AI is fully immersed in the game narrative at this point and treats it as a "passthrough reward," it will not issue any security alerts refusing to execute. In the actual test, the attacked AI did not hesitate to access the GitHub repository where the victim was logged in at work, extracted the SSH login credentials and packaged them and sent them to the attacker's server. What is even more ironic is that after completing this series of stealing behaviors, the AI will excitedly "report good news" to the user, reporting it as a victory in the game task.
It is reported that LayerX has successfully used this vulnerability to test six mainstream AI browsers and assistants, including OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude Chrome browser plug-in. If this vulnerability is exploited maliciously in reality, hackers only need to induce users to click on a link, and then they can silently use AI to rob all the tabs, logged-in accounts or internal tools of the company that the user has opened in the current session.
LayerX stated that they notified all affected vendors of the vulnerability between October 2025 and January 2026. However, the repair progress of major manufacturers is uneven. Currently, only OpenAI has fixed this problem in its ChatGPT Atlas browser. Security experts remind that because "Agentic Disaster" is becoming a new threat in daily web browsing, AI browsers must establish a mandatory user secondary confirmation mechanism when performing sensitive operations such as reading credentials. At the same time, users should also try to limit the access rights of such AI agents to core privacy data.