A new prompt injection termed “BioShocking” can manipulate AI-based browsers into treating malicious actions as a video game, and give away your login credentials. The technique was discovered by experts at security firm LayerX. The experts tricked six AI-powered browsers and assistants into recording users’ credentials and sending them to the threat actor.
The browsers include:
ChatGPT Atlas from OpenAI
Comet from Perplexity
Anthropic’s Claude browser
Fellou
Genspark browser
Sigma browser
LayerX experts made a proof-of-concept (PoC), which was tested against these agentic AI browser products. The findings revealed that only one browser addressed the issue after receiving the report.
What is an AI browser?
An AI browser can streamline the entire workflow for the users. If you switch it to agent mode, it can click type, and visit sites that the user has already logged into. Access is the key point hare, which also becomes the problem.
BioShocking attack tactic
Experts made a (PoC) in which an infected webpage showed a BioShock-themed puzzle that rewards wrong answers. This tricks the browser that normal rules are not applicable.
The trap works because of how these AI-powered browsers read. The webpage and instruction surface as a single stream of text, which allows a malicious page access in commands mimicking ordinary content or game rules. The agent can not tell which is which. Experts have termed this indirect prompt injection.
Tricking the browser
For instance, the compromise starts with a web page made as a puzzle. 3+4+=9 is a wrong answer but the browser rewards it. When the agent accepts that wrong answer is the reward, it follows game puzzle logic not security logic. Following this, the puzzle asks the browser to record login credentials. All six browsers could not flag it as something malicious. To win the game, the agent is commanded to go to a GitHub repository and share the data in the code, such as sensitive data like passwords.
When the link is sent to the target’s GitHub repository, it retrieves SSH login credentials and sends them to the hackers. The main issue here is that browsers can’t differentiate between real scenarios and malicious fictional ones.
According to LayerX, “Once the agents figured out the rules and learned that ‘incorrect’ actions are acceptable, they were no longer tied to reality.” “When tasked with the final step of the puzzle – compromising user credentials – all 6 agents failed to identify it as going against their safety guardrails,” the experts continued.
The PoC did not execute any malicious commands but warned that it could do so.
AI vendors’ response
According to experts, only OpenAI implemented a working patch for BioShocking in its browser.
Anthropic tried to fix the issue on its chrome login, but the patch was not working against the PoC. Perplexity did not fix the issue, and closed the report.
LayerX advises that AI vendors should add specific user acknowledgement for sensitive work, and stronger security checks.
Read the original article:
