A new attack technique called BioShocking, discovered by security firm LayerX, exploits AI browsers and assistants by tricking them into leaking user credentials. The attack uses indirect prompt injection, where a malicious web page presents itself as a game or puzzle, convincing the AI agent to follow game logic over safety protocols. In tests, six AI browsers—including OpenAI’s ChatGPT Atlas, Perplexity’s Comet, and Anthropic’s Claude browser extension—were successfully manipulated into copying SSH login credentials from a victim’s GitHub repository and sending them to an attacker.
The attack works because AI agents process web page content and user instructions as a single text stream, making them vulnerable to hidden commands. LayerX reported the vulnerability to vendors between October 2025 and January 2026. OpenAI fixed the issue in ChatGPT Atlas, while Perplexity closed the report without action. Fellou, Genspark, and Sigma did not respond, and Anthropic’s patch for Claude was reportedly ineffective.
LayerX recommends that AI browsers implement prompts to ask for permission before accessing logged-in accounts, detect when pages attempt to override normal rules, and allow users to set strict access limits. For users, the advice is to treat agent mode cautiously and limit what the browser can access. For security teams, AI browsers in agent mode should be treated as separate accounts with minimal necessary access.
CVEs: CVE-2026-20245
Companies: LayerX, OpenAI, Perplexity, Anthropic, Fellou, Genspark, Sigma
Products: ChatGPT Atlas, Perplexity Comet, Claude browser extension
Original source: thehackernews.com