Cybersecurity researchers have identified a new prompt-injection technique that can manipulate AI browsers into bypassing their safety guardrails by convincing them that they are operating inside a fictional context where normal rules do not apply.
The findings, from cybersecurity firm LayerX, highlight the risks of integrating autonomous AI agents into browsers and other software used to navigate the internet. Researchers said the technique could dupe leading AI browsers, including OpenAI’s ChatGPT Atlas, Perplexity AI’s Comet and Anthropic’s Claude plugin for Google Chrome, into executing commands that may expose users to serious harm.
Researchers Call the Technique BioShockIng
LayerX researchers have named the hack “BioShockIng,” a reference to the video game BioShock, in which the protagonist is hypnotised into acting against their will through a specific phrase.
According to the researchers, AI systems usually operate on the assumption that their context is real and that their actions must remain within their safety rules. But if an AI browser can be tricked into treating its context as a fantasy, those restrictions may be weakened or bypassed.
The researchers said the attack works by making the AI take part in a game-like environment. They created a proof-of-concept page with BioShock-themed puzzles in which the AI was rewarded for giving intentionally incorrect answers, including prompts such as “2+2 = 5.”
Prompt Injection Used to Manipulate AI Browsers
The researchers said the method effectively taught AI browsers that incorrect actions were acceptable, separating them from ordinary context and pushing them toward paradoxical responses. In one example, a manipulated AI browser was shown repeating the phrase “Victory is defeat,” a reference to George Orwell’s novel 1984.
In practical terms, the risk begins when a user opens what appears to be an ordinary webpage containing malicious prompts. This tactic, known as prompt injection, can trap the AI browser in the malicious game and direct its actions.
In one scenario described by the researchers, the AI was tricked into navigating to “/code,” which opened the user’s employer’s code repository on GitHub. The researchers warned that in a real attack, the redirect could point anywhere within the user’s browser session, including open tabs, authenticated repositories and internal tools.
Risk Remains Visible but Serious
This indicate that the attack happens in the open, meaning users may be able to intervene if they notice the AI browser engaging with suspicious or malicious words in the browser window.
However, the vulnerability exposed by the research is significant. It shows that the operating context of AI browsers can be manipulated by making them believe they are playing a game. The researchers’ findings suggest that attackers may no longer need to rely only on tricking users directly and could instead target the AI assistants acting on their behalf.
