LayerX researchers developed an AI browser jailbreak dubbed “BioShocking” that tricks AI browser assistants into disclosing private data as part of a “game.” The “game” website serves as an indirect prompt injection that alters the AI assistant’s sense of “reality” by only rewarding incorrect answers such as 2+2=5, the researchers said in a blog post. The method’s name is a reference to the 2007 video game BioShock, in which the main character is brainwashed into believing in a false reality and unknowingly follows the antagonist’s orders.The attack chain begins when the user asks the AI assistant built into their browser to win the game presented by the website. After “solving” the 2+2 problem by submitting an incorrect answer, the AI begins to understand that the “wrong” answer is needed to win.“Once the agents figured out the rules and learned that ‘incorrect’ actions are acceptable, they were no longer tied to reality,” the researchers wrote.The next part of the game directs the assistant to submit text from a page that redirects to a GitHub repository in the user’s organization. Leveraging the user’s logged-in session, the browser assistant navigated to the repo, copied the contents of a text file containing SSH login credentials, and submitted the data without being stopped by its guardrails.“The most important component of BioShock is not our specific example of an attack, but the root cause behind the attack — which is that AI browsers act within a context, but that context can be manipulated,” LayerX Research Director Michelle Levy told SC Media. “If you convince an agent that it’s playing a game, then it will apply game logic — not real world safety logic — to whatever it does.”The BioShocking jailbreak was tested on six AI browsing assistants, and all six were fooled into submitting the credentials contained in a test repo. The products tested were OpenAI’s ChatGPT Atlas, Perplexity AI’s Comet, Fellou, Genspark Browser, Sigma Browser and Anthropic’s Claude plugin for Chrome.LayerX said OpenAI has patched the jailbreak in its ChatGPT Atlas browser. Anthropic also attempted to patch the issue in its Chrome plugin, but LayerX found that the patch did not work. Levy told SC Media that Anthropic indicated they would revisit the issue and that the most recent report has remained open since April 2026.Perplexity closed the report without a fix, and Fellou, Genspark and Sigma Browser did not respond to LayerX’s reports, according to the blog post. A Genspark spokesperson told SC Media that the issue has been fixed and that the company has reached out to LayerX. OpenAI, Perplexity, Fellou and Sigma Browser did not respond to requests for comments.
AI/ML
‘BioShocking’ jailbreak tricks AI browsers into disclosing private data

An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



