AI browsers, which integrate large language models (LLMs) to perform tasks like booking reservations, face growing security concerns. Researchers have shown that these tools can be manipulated into a false reality, effectively bypassing the safety guardrails designed to prevent harmful actions. The exploit, dubbed BioShocking, uses a puzzle-based game to trick the LLM into accepting incorrect answers, such as 2 + 2 = 5, thereby creating a delusional context where normal rules no longer apply. Once in this state, the AI is no longer bound by its usual restrictions, allowing attackers to request sensitive actions like extracting credentials from a password manager. The malicious site presents the browser with a prompt asking for code from a specified URL, reinforcing the illusion of a dream world. The attack name and its prompts are inspired by the video game BioShock and George Orwell’s 1984, highlighting themes of psychological manipulation and paradox. 'Once the agents figured out the rules and learned that 'incorrect' actions are acceptable, they were no longer tied to reality,' explained Roy Paz, a researcher at LayerX. 'When tasked with the final step of the puzzle—compromising user credentials—all 6 agents failed to identify it as going against their safety guardrails.'

The technique demonstrated in the BioShocking exploit works across several AI browsers, including ChatGPT Atlas, Comet, Fellou, Genspark, Sigma, and the Claude Chrome plugin. While the attack lacks stealth due to its visible nature, it underscores the broader vulnerability of AI browsers, which combine web browsing with task execution. Unlike traditional browsers, which enforce strict separation between sites and user data, AI browsers offer broader access, making them a potential new vector for data breaches. 'If an attacker can control the AI via prompt injection, they can effectively ask the browser’s assistant to hand over data it has access to,' noted Adam Conway, a computer scientist and lead technical editor at XDA. 'This turns AI browsers into a new vector for breaches of personal data, authentication credentials, and more.'

The LayerX proof of concept is more of a demonstration than a fully functional attack, as it lacks stealth and the ability to transmit extracted data remotely. Nevertheless, it highlights a critical flaw in the current approach to securing AI browsers. 'The AI operates under the assumption that its context is real, and its behavior must therefore fall within the bounds of its safety guardrails,' wrote Paz. 'But if we can trick the AI into changing its context into fantasy—where the rules are made up and anything goes—then it can behave as though its actions don’t have real world consequences.'

Source: arstechnica