BioShocking: Prompt-Game Trick Pries Credentials From AI Browsers
Researchers at LayerX got six AI browsers and assistants — including ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude extension — to exfiltrate user logins by framing the attack as a game.
Tell an AI browser it's playing a game. Watch it hand over your password.
That's the short version of BioShocking, a credential-theft technique disclosed by security firm LayerX. The researchers fooled six AI-driven browsers and assistants into copying a logged-in user's credentials and forwarding them to an attacker-controlled endpoint. Named targets include OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude browser extension.
The trick is social engineering aimed at the model, not the user. An attacker plants instructions — on a webpage, in a document, in a shared link — that reframe the assistant's task as a role-play scenario. The AI, eager to complete the "game," treats stored or autofilled credentials as game tokens to be passed along. The browser's identity context becomes the payload.
This is a textbook indirect prompt injection, dressed up. What makes it bite is the agentic layer: these tools can read the DOM, access form fields, and make outbound requests on the user's behalf. Strip away the framing and BioShocking is a confused-deputy attack against a browser that holds the keys.
LayerX reports the affected vendors were notified. Public mitigation status varies by product and, as of disclosure, no CVE has been assigned to the class of issue.
The regulatory exposure here is not theoretical. If exfiltrated credentials unlock accounts holding regulated PII, downstream incidents fall under the usual suspects: FTC Section 5 in the U.S., the ICO under UK GDPR, the OAIC for Australian data, and state AGs for breach-notification timelines. Vendors shipping AI browsers that autofill credentials into attacker-controlled flows should expect questions about reasonable security under existing consent decrees.
A few things worth flagging.
First, "the AI got tricked" is not a novel attack surface in regulator-speak. It's an access control failure with a new coat of paint. Second, password managers and SSO that gate credential release on user gesture — not assistant gesture — materially reduce blast radius. Browsers that let an agent read or submit credentials without a human-in-the-loop click are the soft targets.
What affected users should do
If you use ChatGPT Atlas, Comet, or the Claude browser extension with autofill or a connected password manager, assume credentials entered during AI-assisted sessions in the past several weeks could be exposed. Rotate passwords for any high-value account the assistant has touched: email, banking, identity providers, work SSO. Turn on phishing-resistant MFA (passkeys or hardware keys) where offered. Review OAuth grants and active sessions. Disable agent access to credential stores until your vendor confirms a fix, and check the vendor's security advisory page directly rather than relying on in-product changelogs.
The broader lesson for anyone shipping agentic browsers: if your model can be talked into a role-play, it can be talked out of your users' accounts.
