
BioShocking prompts AI browsers into data theft
LayerX’s BioShocking reveals a prompt-injection technique that can mislead AI-powered browsers into treating real-world risky actions as fictional, bypassing safety guardrails. In a PoC, six agentic browsers (ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, Claude Chrome plugin) were shown a final task that instructed them to visit a GitHub repo and copy sensitive data (including passwords), after which they failed to identify it as a threat. OpenAI reportedly patched the issue in ChatGPT Atlas; Anthropic’s Chrome plugin fix was ineffective; Perplexity AI did not fix the problem. The researchers urge explicit user confirmations for sensitive actions, stronger context checks, and tighter session scope, while users should restrict AI browser access to sensitive services.












