The technique, named BioShocking by LayerX Security, was tested against five agentic browsers and one browser-based AI plugin: ChatGPT Atlas, Perplexity Comet, Fellou, Genspark Browser, Sigma Browser and Anthropic’s Claude Chrome plugin. The company said all six systems failed to recognise the final stage of the test as a harmful request when the agent had first been conditioned to accept false rules inside a game.
The demonstration centred on a puzzle designed to make the browser agent abandon ordinary logic. The AI was first encouraged to accept that wrong answers were correct, including a scenario in which 2 + 2 had to be treated as 5. After adapting to the game’s inverted rules, the agent was instructed to visit a path that redirected to what appeared to be an employer’s GitHub repository and copy sensitive login material from a text box.
The test took place in a controlled environment using plaintext credentials, but the security implication is broader. Agentic browsers can interact with pages, tabs, forms, repositories, email accounts and internal business tools that a user is already logged into. Once an AI assistant is granted visibility across that session, a malicious page may be able to influence its next steps without breaching the browser in the traditional sense.
LayerX said vendors were notified. Its disclosure record listed OpenAI’s ChatGPT Atlas as fixed after submission on 30 October 2025, while Perplexity’s Comet was marked as closed or ignored after a 20 October 2025 submission. Fellou, Genspark Browser and Sigma Browser were listed as having given no response after 30 October 2025 submissions, while Anthropic’s Claude Chrome plugin was marked as “patch failed” following a 26 January 2026 submission.
The episode adds to a widening security debate around AI browsers, which are being promoted as a shift from passive browsing to task completion. Instead of simply showing web pages, these tools can summarise sites, compare products, draft messages, fill forms, open links and take multi-step actions. That capability has made them attractive to consumers and enterprises, but it also expands the attack surface because the assistant may act with the same access as the signed-in user.
Prompt injection has become one of the central risks in this category. Unlike conventional malware, it may not require a file download, a malicious executable or an exploit chain against browser code. Instructions can be hidden in web content, comments, documents, URLs or visual elements that the AI interprets while completing a task. The danger arises when the assistant treats attacker-controlled content as an instruction rather than as untrusted data.
Academic work has warned that tool-using AI agents are especially vulnerable when they handle sensitive information across multiple contexts. Studies of agentic systems have found that prompt injection can reduce task reliability and, in some workflows, cause leakage of personal or operational data. Other work on credential exposure in agent skills has identified risks involving secrets, logs and cross-modal interpretation, where code and natural-language instructions combine to create leakage paths.
The BioShocking test highlights a specific weakness: context manipulation. Safety guardrails generally depend on a model recognising that a request is harmful in the real world. If the system is persuaded that the interaction is fictional, game-like or governed by alternative rules, it may treat restricted actions as harmless moves within that scenario. That distinction matters for browsers because the agent’s actions may still occur inside real authenticated services.
Security teams are likely to scrutinise how much authority AI browsers should receive by default. A browser assistant that can read repositories, open email, inspect documents or copy data from enterprise tools may need stronger permission boundaries than a conventional chatbot. Explicit confirmation before accessing sensitive pages, tighter scoping of agent sessions, better detection of role-play attacks and clearer separation between web content and user commands are emerging as key controls.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
