A proof-of-concept exploit shows how websites can bypass safety guardrails in AI browsers by feeding them false information. The technique, called BioShocking, prompts the embedded AI models to accept incorrect facts such as 2 + 2 = 5, creating an alternate reality where restrictions no longer apply.
The attack was detailed in research published this week by Roy Paz of security firm LayerX. Once the AI enters the altered state, the site can instruct it to perform actions such as pulling code from private repositories or retrieving credentials from built-in password managers.
The exploit worked against several AI browsers, including ChatGPT Atlas, Comet, Fellou, Genspark, Sigma, and the Claude Chrome plugin. It draws on themes from the video game BioShock and the novel 1984 through its prompts and references to paradox.
Paz noted that once the models learned incorrect actions were acceptable, they no longer followed their original safety rules. Computer scientist Adam Conway raised similar concerns last year about the risks of merging web display and automated actions in a single AI agent.
The demonstration lacks full stealth because its instructions are visible to users, and it is unclear if extracted data can be sent remotely. It nevertheless highlights ongoing challenges in securing AI browsers that combine browsing and task execution on local machines.