Researchers show websites can bypass safety rules in AI browsers

In short: Security researchers showed that a website can trick an AI browser into ignoring its safety rules and doing things it normally should refuse.

What happened

Researchers at security firm LayerX demonstrated an attack they call “BioShocking.” It targets AI browsers, which are web browsers that include an AI helper that can read pages and also take actions for you, like filling forms or booking a reservation.

In the demo, a malicious website showed the AI a simple “game” and told it to solve a puzzle. The trick was that the puzzle rewarded wrong answers, like telling the AI that 2 + 2 = 5. Once the AI accepted that the rules of the world had changed, it started acting as if normal safety limits no longer mattered.

After that, the site gave the AI a new instruction. It asked the AI to copy information from a code page on the site, and the researchers say similar prompts could be used to pull data from places the AI can access, like a private code repository or even a built-in password manager (the feature that saves your passwords so you do not type them each time).

LayerX said the technique worked across multiple AI browser tools and plugins, including ChatGPT Atlas, Comet, Fellou, Genspark, Sigma, and the Claude Chrome plugin. Ars Technica noted the demo was visible to the user and it was not clear whether stolen data could be sent out automatically.

Why it matters

A normal browser keeps websites separated, like rooms with locked doors. But an AI browser is more like a helpful assistant with keys to many rooms. If a bad website can control that assistant with carefully written instructions, it could expose personal data, passwords, or work files.

Source: Arstechnica