Skip to main content
TechnologyJul 1, 2026· 2 min read

BioShocking Challenges AI-Powered Browsers: A New Attack Exploits Prompt Injection

A group of researchers from LayerX has introduced BioShocking, a new attack technique based on prompt injection that highlights some weaknesses in browsers equipped with artificial intelligence agents. According to the study, this methodology can lead AI assistants to interpret potentially dangerous actions as if they were part of an imaginary context, thus reducing the effectiveness of integrated protection mechanisms.

To demonstrate how the attack works, experts created a proof of concept inspired by the BioShock video game universe. In this scenario, a web page presents a puzzle in which incorrect answers are rewarded, gradually inducing the AI agent to accept behaviors that are normally against the rules. In the final phase of the experiment, the browser receives the instruction to visit a GitHub archive and copy information present in the code, including credentials and sensitive data.

According to LayerX, the main issue lies in the inability of agents to accurately distinguish between a simulated context and real operations involving sensitive information. The researchers clarify that the demonstration did not actually extract data from users, but emphasize that the same technique could be adapted to a harmful scenario without changing the logic of the attack.

Additional Details on BioShocking and the Test

The test was conducted on six browsers and AI tools dedicated to browsing: ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and the Chrome plugin of Claude. Reportedly, all showed vulnerabilities during the test.

LayerX states that it communicated the issue to manufacturers as early as October of last year. Three companies allegedly did not respond at all. OpenAI was noted as the only one to have introduced an effective fix for ChatGPT Atlas. Anthropic has released an update for its Chrome plugin, but it was deemed insufficient against the test conducted by the researchers. Perplexity AI also reportedly closed the report without implementing changes.

LayerX suggests that manufacturers introduce explicit confirmations before sensitive operations, stricter context checks, and operational limits for AI agent sessions. Users are instead advised to limit, whenever possible, AI browsers' access to services containing sensitive data.