Security firm LayerX has published research demonstrating that six AI browsers and assistants can be manipulated into copying a user’s stored login credentials and sending them to an attacker-controlled endpoint — no malware installation required, just a visit to a malicious web page.
BioShocking: A Puzzle Game That Disables AI Browser Guardrails
LayerX’s research describes the technique as “BioShocking.” The confirmed affected systems include OpenAI ChatGPT Atlas, Perplexity Comet, and Anthropic’s Claude browser extension. All three were confirmed to exfiltrate stored login credentials when subjected to the attack under test conditions.
The technique does not exploit a software memory vulnerability or abuse a network protocol. Instead, it works by manipulating the AI agent’s decision-making process using the page content itself. A malicious web page presents what appears to be a simple puzzle game — one that rewards deliberately wrong answers. Once the AI agent accepts incorrect answers as acceptable within the game context, it begins relaxing its normal content policies for the rest of the page. A hidden instruction embedded in the same page then directs the AI to copy credentials from the user’s currently active logged-in sessions and transmit them to an external endpoint the attacker controls.
The Single Text Stream That Makes Page Content Into Instructions
The underlying structural problem LayerX identified is that web page content and legitimate user instructions arrive at the AI agent through the same input channel — a single text stream that the model processes without a privilege separation layer. A malicious web page can inject commands formatted to look like ordinary content, and the AI agent interprets them as instructions in the same way it would treat a directive typed directly by the user.
The puzzle game is not incidental to the attack. It functions as a conditioning step: by getting the AI to accept wrong answers as fine, the page trains the model within that session to be less strict about evaluating whether subsequent instructions are appropriate. The AI has, in effect, been conditioned to lower its guard before the credential-theft instruction appears.
OpenAI Fixed ChatGPT Atlas; Perplexity and Anthropic Responses Diverged
LayerX reported the BioShocking findings to vendors between October 2025 and January 2026 before publishing publicly. The vendor responses diverged significantly across the three confirmed-affected systems.
OpenAI fixed the issue in ChatGPT Atlas. Perplexity received the report and closed it without taking action. Anthropic attempted a fix for the Claude browser extension, but LayerX’s follow-up testing found the fix did not hold — the extension remained vulnerable after the attempted remediation.
The Missing Privilege Boundary Between Page Content and Account Access
LayerX’s core recommendation following the BioShocking research is that AI browsers should require explicit user approval before reading data from logged-in accounts. As of the disclosure, no tested AI browser or assistant enforced a privilege boundary between the act of reading page content — a routine browser task — and the act of accessing authenticated session data belonging to the user.
The absence of this boundary is the design gap that makes BioShocking possible. A conventional browser extension that tried to read credentials from logged-in sessions without authorization would be blocked by the browser’s extension permission model. AI agents operating within the browser as assistants with account access have not been subject to the same privilege containment — page content they read and user-level instructions they follow arrive through the same channel, without a mechanism to distinguish a legitimate instruction from an injected command on a malicious page.
The disclosure is public as of June 30, 2026. Any user relying on an AI browser assistant or AI-integrated browser extension with access to their logged-in accounts faces potential credential exposure from malicious web pages specifically designed to exploit this class of vulnerability.
