Threat Database Vulnerability BioShocking Attack Technique

BioShocking Attack Technique

By Mezo in Vulnerability

Security researchers have uncovered a technique known as BioShocking, demonstrating that several AI-powered browsers and assistants can be manipulated into stealing user credentials and delivering them to an attacker. The affected platforms included OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude browser extension.

Unlike traditional browsers that merely display web content, AI browsers can act on behalf of users. When operating in agent mode, these systems can click buttons, type commands, and interact with websites where users are already authenticated. While this functionality is designed to improve productivity, it also creates significant security risks.

The Weakness Behind the Attack

The attack exploits the way AI agents process information. User instructions and webpage content are treated as a single stream of text, allowing malicious websites to hide commands within seemingly harmless content. Researchers refer to this technique as indirect prompt injection.

To exploit this weakness, researchers created a puzzle-themed webpage inspired by a dystopian scenario in which incorrect answers are rewarded. For example, the game encouraged the agent to accept that '2 + 2 = 5.' Once the AI adopted the game's rules, it prioritized winning the puzzle over adhering to security safeguards.

The final challenge instructed the agent to retrieve the user's credentials. None of the six tested AI agents identified this request as malicious or refused to comply.

From Puzzle to Credential Theft

The most alarming aspect of the attack lies in the resources accessible to the AI agent. During testing, the malicious webpage directed the agent to a work-related GitHub repository, from which it extracted SSH credentials and transferred them to the attacker.

Researchers intentionally used a harmless plaintext file during the demonstration. However, the same technique could be applied to numerous other resources that an AI browser may access during an active session, including:

  • Open browser tabs
  • Authenticated online accounts
  • Internal business applications and tools

After completing the theft, the compromised agents even reported the activity as a successful accomplishment.

Why It Is Called BioShocking

The name 'BioShocking' is inspired by the video game franchise BioShock, in which a brainwashed character obeys the trigger phrase, 'Would you kindly?' The comparison illustrates a critical weakness of AI agents: they inherently trust the context presented to them. By manipulating that context, attackers can influence the agent's decisions and actions.

This is not the first time researchers have demonstrated such vulnerabilities. Previous studies showed that a single click could compromise Perplexity's Comet browser and silently exfiltrate sensitive information.

Uneven Responses from AI Vendors

The vulnerabilities were disclosed to affected vendors between October 2025 and January 2026, but responses varied considerably:

OpenAI addressed the issue in ChatGPT Atlas.
Perplexity closed the report without implementing a fix.
Fellou, Genspark, and Sigma did not respond.
Anthropic attempted to patch its Claude browser extension, but researchers determined that the mitigation was ineffective.

Strengthening the Security of AI Browsers

Researchers recommend several protective measures to reduce the risk of similar attacks. AI browsers should request user approval before accessing authenticated resources. A simple confirmation message, such as 'The browser is about to copy data from your GitHub repository. Continue?', could interrupt the entire attack chain.

Additionally, AI agents should be able to recognize instructions that attempt to override normal security rules. Users should also be given the ability to define strict boundaries regarding which resources an agent can access. Winning a game or completing a task should never justify accessing private repositories or sensitive information.

A New Type of Privileged Account

For end users, the message is straightforward: agent mode should be used cautiously. Any account or service that is currently signed in may become accessible to the AI agent. Access should therefore be limited and revoked when it is no longer necessary.

For organizations, the implications are even greater. An AI browser operating in agent mode effectively functions as another privileged account with access to corporate systems. Consequently, it should receive only the minimum permissions required to perform a specific task rather than unrestricted access to everything available to the user.

The Broader Lesson

The BioShocking research highlights a critical reality of modern AI systems: granting AI agents access to authenticated accounts transforms prompt injection attacks from harmless demonstrations into genuine security incidents. Once an AI system holds the keys to sensitive resources, manipulating its behavior can lead directly to unauthorized access and data theft.

Trending

Most Viewed

Loading...