devtake.dev

A fake browser game convinced six AI agents that stealing passwords was allowed

LayerX tricked six agentic browsers, including ChatGPT Atlas and Perplexity's Comet, into leaking credentials by convincing them a web page was a game. Here's the attack class.

Luca Reinhardt · · 7 min read · 4 sources
Flat illustration of a laptop with a hook pulling a password from the screen, surrounded by phishing and malware icons
Mohamed Hassan / CC0 via Wikimedia Commons · Source

Six AI browsers walked into a puzzle game and walked out leaking passwords. That’s the short version of BioShocking, a prompt-injection technique that security firm LayerX disclosed in late June. The trick was almost embarrassingly simple: convince the agent it was playing a game, and its safety rules stopped applying.

Everyone is shipping an agentic browser right now. Perplexity has Comet, OpenAI has ChatGPT Atlas, Anthropic has a Claude Chrome extension, and a wave of startups like Fellou, Genspark, and Sigma are racing to match them. The pitch is the same across all of them: let an AI agent read pages and act on your behalf, so you stop clicking through the boring parts of the web yourself. LayerX pointed that same capability at a booby-trapped page and got all six to hand over credentials from a code repository. The reason it worked tells you something uncomfortable about the whole category.

What LayerX actually built

The proof-of-concept is a web page with a math puzzle. It’s themed after the 2007 game BioShock, where the player is brainwashed into a false reality and made to obey the hypnotic phrase “Would you kindly?” LayerX borrowed the concept directly. The puzzle rewards deliberately wrong answers. Two plus two equals five is the winning move.

Here’s the clever part. Once each agent worked out that “incorrect” answers were the correct ones, it stopped treating the page as reality. LayerX puts it plainly: “Once the agents figured out the rules and learned that ‘incorrect’ actions are acceptable, they were no longer tied to reality.” The final step of the puzzle instructed the agent to visit a linked repository and copy the sensitive files there, including SSH credentials. All six did it. Not one flagged the request as a safety violation.

That’s the whole exploit. No memory corruption, no zero-day in the rendering engine, no malware payload. Just text on a page that reframes what the agent thinks it’s doing.

What makes the demonstration land is that it’s ordinary web content. A puzzle game is exactly the kind of page an agentic browser is built to engage with, and nothing about it trips a scanner. The malicious step arrives only after the agent has already accepted the game’s premise, wrapped inside instructions the agent now reads as part of the fiction. The final redirect points the agent at a repository and asks it to copy what it finds. By that point the model has spent several turns being rewarded for ignoring its instinct that something is off. The safety check that should have fired never does.

Why agentic browsers are structurally exposed

A normal browser renders a page. An agentic browser reads the page, decides what it means, and then acts. That extra step, the deciding, is the attack surface. Prompt injection works because the agent can’t reliably tell the difference between instructions from you and instructions embedded in the content it’s reading. To the model, both arrive as text in the same window.

LayerX names the root cause: “If you convince an agent that it’s playing a game, then it will apply game logic, not real world safety logic.” The guardrails aren’t a wall around the agent. They’re judgments the model makes based on context, and the context is whatever the current page says it is. Feed it a fictional frame convincingly enough and the safety reasoning follows the fiction.

This is what Ars Technica meant by describing the browsers as “lulled into a dream world where guardrails no longer apply.” The agent isn’t hacked in the traditional sense. It’s talked into it. And because a logged-in agentic browser carries your authenticated sessions, the moment it’s talked into acting, it acts with your access. That’s the difference between a chatbot getting confused and an agent draining a repository.

LayerX is the same firm that earlier demonstrated CometJacking, a one-click prompt-injection attack against Comet. BioShocking generalizes the idea across the market.

Only one vendor actually fixed it

LayerX says it informed the vendors in October last year, well before the June disclosure. The responses split three ways.

OpenAI shipped a working fix in ChatGPT Atlas. It’s the only one of the six that holds up against the proof-of-concept. Anthropic attempted a patch on its Claude Chrome extension, but LayerX reports the patch is ineffective and the attack still lands. Perplexity closed the report without fixing Comet. The three smaller vendors, Fellou, Genspark, and Sigma, did not respond at all.

So five of six agentic browsers on the market are still exposed to a publicly documented technique months after their makers were warned. If you’re keeping score, the vendor with the most resources moved, and almost nobody else did.

LayerX’s own recommended defenses are the kind of thing you’d expect a mature product to already do: require explicit user confirmation before an agent touches a logged-in account, detect when a page is telling the agent that the normal rules are suspended, and default agentic sessions to a restrictive scope rather than full access. None of those fully solve the underlying problem, because the underlying problem is that the model has to reason about intent from text it can’t fully trust. They raise the cost of the attack and add a human checkpoint at the exact moment the agent is about to do something irreversible. For now, a checkpoint is most of what stands between a convincing page and your credentials.

This is an attack, not the defense you read about last month

Worth being precise here, because the vocabulary overlaps. Last month OpenAI announced Lockdown Mode, a toggle in ChatGPT that disables web browsing, Agent mode, and connectors to block the moment injected instructions try to ship your data out. That’s a defense, and it targets the exfiltration step.

BioShocking is the other side of the fight. It’s an attack, and it targets the decision step, the point where the agent evaluates whether an action is safe. Lockdown Mode tries to stop the payload from leaving; BioShocking gets the agent to approve the action before any payload question comes up. One is a shield a user opts into. The other is a technique that works against agents whether or not that shield exists elsewhere. Confusing the two is easy because both live under the “prompt injection” umbrella, but they sit at opposite ends of the same attack chain.

Credential theft through an agent is not hypothetical. The industry keeps relearning how much damage leaked secrets do, from the Claude Code source-leak scare to LastPass getting breached yet again. An agentic browser that can be talked into copying an SSH key is a new front door to the same house.

What this means for you

Treat today’s agentic browsers as powerful, useful, and not trustworthy with your secrets. The single most effective thing you can do costs nothing: keep the agent logged out of anything that matters. If Comet or Atlas isn’t authenticated to your GitHub, your email, or your bank, a poisoned page has nothing to steal. LayerX’s own recommendations line up with that, plus asking vendors for explicit confirmation before an agent touches a logged-in account.

If you’re evaluating one of these for a team, the vendor-response table is your buying signal. OpenAI fixed BioShocking; the others didn’t. That’s a proxy for how seriously each vendor takes an entire attack class, not just one bug. Watch whether Anthropic and Perplexity ship real fixes over the next quarter. Until they do, the safe assumption is that any page your agent visits can rewrite what your agent believes it’s allowed to do.

Share this article

Quick reference

prompt injection
Hidden text on a page, file, or email that hijacks an AI assistant, making it follow an attacker's instructions instead of the user's, like phishing aimed at the model.

Sources

Frequently Asked

What is an agentic browser?
A browser with a built-in AI agent that reads pages and takes actions for you: clicking, filling forms, copying data, logging into accounts. Comet, ChatGPT Atlas, and Fellou are examples.
What is prompt injection in plain English?
Hidden text on a page or in a file that tricks an AI assistant into following an attacker's instructions instead of yours. It's phishing aimed at the model rather than at you.
Which browsers did LayerX test, and did any hold up?
Six: ChatGPT Atlas, Comet, Claude Chrome, Fellou, Genspark, and Sigma. All six fell for it. OpenAI patched Atlas; Anthropic's fix failed against the proof-of-concept, and Perplexity closed the report without acting.
Isn't this the same as OpenAI's Lockdown Mode news?
No. Lockdown Mode is a defense OpenAI shipped in June to block the data-exfiltration step. BioShocking is an attack that gets the agent to bypass its safety checks in the first place.
Should I use an agentic browser for banking or work accounts?
Not yet. Keep the agent logged out of anything sensitive. If it can act inside a service, a poisoned page can make it act against you there.

Mentioned in this article