Security researchers have uncovered an unusual method for coaxing AI browsers into disclosing your passwords. By disguising the theft as a benign “game,” they were able to get AI browser agents to expose sensitive information like stored passwords, session cookies, and private tokens.
The approach, dubbed BioShocking after the video game BioShock, manipulates an AI into accepting a fabricated reality. Once the AI is fooled, it abandons its built‑in safety protocols entirely.
### How BioShocking convinces AI to ignore its own safeguards
AI browsers normally include guardrails that prevent them from leaking personal data, but a team at LayerX discovered a clever bypass. The attack begins on a malicious webpage that contains hidden prompts telling the AI it has entered a game to locate secret strings. Because AI browsers heavily rely on contextual cues, this framing changes the entire interaction.
The page presents a BioShock‑style puzzle where incorrect answers earn points, encouraging illogical reasoning such as “two plus two equals five.” When the AI adopts this logic, its safety mechanisms become lax. The AI is then instructed that the next game step is to retrieve and copy a hidden code from another page, which actually points directly to the user’s private login credentials.
In effect, a request for saved passwords—normally blocked—is reinterpreted as a game objective, allowing the AI to hand over sensitive data without recognizing the danger.
### Which AI browsers fell for the BioShocking exploit?
All six AI browsers tested leaked real credentials and sent them straight to the attacker, treating the incident as a successful game completion. The proof‑of‑concept succeeded against ChatGPT Atlas, Perplexity’s Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic’s Claude extension for Chrome.
LayerX alerted each vendor between October 2025 and January 2026 before publishing the findings. OpenAI patched the flaw in ChatGPT Atlas, while Perplexity closed the report without taking action. Anthropic attempted a fix for its Claude extension, but LayerX reports the patch was ineffective. Fellou, Genspark, and Sigma have not responded.
As AI browsers become more widespread, the BioShocking technique highlights how easily they can be persuaded to make unsafe decisions.