Agentic Disaster: Security researchers have repeatedly shown that AI-powered browsers can be dangerous tools for everyday web browsing. Agentic AI systems, large language models, and other AI components running within the browser can be exploited to bypass security boundaries, and there is currently no straightforward way to fully eliminate these risks.
Researchers from LayerX recently unveiled BioShocking, a new type of vulnerability designed to target AI-powered browsers capable of executing autonomous tasks on the open web. The security firm explained that BioShocking can "game" an AI-based browser, causing the system to execute malicious instructions after effectively bypassing its intended security guardrails.
BioShocking is inspired by BioShock, the dystopian FPS developed by 2K in 2007 and set in the underwater city of Rapture. The BioShock theme is also used in a proof-of-concept webpage created by the researchers, which is used to manipulate the AI browser into believing that it is no longer operating in the "real world."
LayerX researchers explained that LLMs and AI agents are typically trained to operate within defined security boundaries. If a user attempts to input potentially malicious prompts, the AI is expected to refuse the request and raise a warning. However, these boundaries can fail if the model is persuaded that it is participating in a game in which real-world constraints no longer apply.

BioShocking operates in a relatively straightforward way, LayerX said. The PoC webpage guides the AI agent through an alleged BioShock-themed, multi-layered puzzle game. The vulnerability exploits an LLM's internal reasoning process by prompting it to answer a simple math question (2 + 2) with a deliberately incorrect result (5), which helps push the AI further into the fabricated game narrative.
Finally, the PoC directs the AI agent to navigate to a specially crafted "/code" URL, where it can be instructed to steal sensitive credentials or perform other malicious actions.
"If you convince an agent that it's playing a game, then it will apply game logic – not real-world safety logic – to whatever it does," the researchers explained.
LayerX successfully tested BioShocking against several AI browsers and Anthropic's Claude Chrome plugin. The security firm warned all affected companies, but only OpenAI reportedly addressed the issue in its ChatGPT Atlas browser. Anthropic's patch apparently failed, while other browser vendors reportedly did not respond.
Researchers have been probing AI browsers' lack of robust security controls for at least two years. Regarding BioShocking, LayerX said that effective mitigation will likely require a multi-layered approach. AI browsers should consistently request user confirmation before performing sensitive operations, and users should understand that agentic AI browsers must have limited access to their data.