Security researchers have demonstrated how AI browsers can be manipulated into stealing sensitive information from accounts their users are already logged into.
Researchers at cyber security company LayerX tested six agentic tools using a malicious puzzle that persuaded them they were playing a game where normal rules didn’t apply. All six then retrieved test SSH login credentials from an authenticated work repository without recognising the security violation.
The technique, called “BioShocking”, could potentially expose information from signed-in accounts, internal tools and authenticated repositories. LayerX says OpenAI has fixed the issue in ChatGPT Atlas, while responses from other providers varied.
Businesses using agentic browsers should restrict their access to sensitive accounts and systems, avoid using agent mode while unnecessarily logged into confidential services, and revoke permissions when they are no longer required.