Researchers Trick ChatGPT, Perplexity AI Browsers Into Leaking Credentials Using a Puzzle Game
Security researchers manipulated six AI browsers into surrendering user credentials by convincing the software it was playing a game — exposing a systemic vulnerability in a fast-growing product category.
LayerX, a browser security firm, published findings this week detailing what it calls a “BioShocking” attack — named after the video game series in which characters are psychologically conditioned to carry out actions they would otherwise refuse.
The technique works on the same principle applied to AI agents.
Six Products Tested, Six Compromised
Researchers built a webpage containing a simple puzzle game designed to gradually erode the AI agent’s default reasoning. The first challenge rewarded wrong answers — prompting users to enter “2 + 2 = 5” instead of 4.
The AI initially responded correctly. After repeated failures under the game’s inverted logic, it adapted and accepted the alternate rules.
Once the AI operated within that manipulated framework, the game directed the browser agent to visit a separate page and copy text from a form field. In the test environment, that page was an authenticated GitHub repository containing login credentials.
The agent retrieved and returned the credentials as a puzzle solution — treating credential extraction as gameplay rather than a security violation.
LayerX tested the attack against six products: ChatGPT Atlas (OpenAI), Comet (Perplexity), the Claude Chrome Extension (Anthropic), Fellou, Genspark Browser, and Sigma Browser. Every product failed.
Disclosure Outcomes Vary Sharply
OpenAI patched the vulnerability in ChatGPT Atlas following LayerX’s responsible disclosure, according to the firm’s disclosure table.
Perplexity closed the report without implementing a fix, with LayerX categorizing the company’s response as ignored.
Anthropic attempted a mitigation for the Claude Chrome extension, but LayerX said the patch failed to block the attack.
None of the three companies had issued public statements on the findings at the time of publication.
A Pattern Emerging Across AI Browsers
The BioShocking findings follow a run of similar disclosures targeting the AI Browser sector.
Earlier this month, researchers working with Brave demonstrated how prompt injection — a technique in which malicious instructions are embedded inside webpage content to redirect an AI agent’s behavior — could expose sensitive User Data. Separately, researchers showed that browser-integrated AI assistants could be manipulated into revealing email contents and login credentials through hidden instructions on malicious pages.
The common thread is not a flaw in the underlying browser code. Attackers are targeting the AI’s decision-making process directly.
Why This Threat Model Differs
Traditional browser security focused on isolating malicious code — preventing scripts from crossing security boundaries or accessing protected memory.
AI browser security must also defend against malicious reasoning — situations where an attacker does not exploit software, but instead convinces software to make a bad decision voluntarily.
That distinction carries serious consequences as AI agents gain permission to access authentication tokens, corporate repositories, password managers, calendars, and internal enterprise systems.
Manipulating an agent’s context to authorize harmful actions may prove as effective as any conventional exploit, LayerX argues.
AI browsers — software that goes beyond displaying webpages to autonomously completing tasks on a user’s behalf — are currently in a rapid growth phase. Perplexity’s Comet has attracted significant market attention since its launch, and competing products continue to emerge as technology companies position themselves in the agentic browsing space.
LayerX recommends users restrict what data and services their AI browser can access and exercise caution before granting autonomous permissions to any agentic tool.
