Your AI Browser Can Be Talked Into Stealing Your Data — BioShocking and AutoJack Explained

Your AI Browser Can Be Talked Into Stealing Your Data — BioShocking and AutoJack Explained

AI browsers — Chrome-like products where an agent clicks, reads and fills forms for you — are moving into companies fast, often through employees who simply install them. Two pieces of research published in June 2026 show why security teams need a position on them now, not later.

BioShocking: the agent that forgot reality

Researchers at LayerX built a proof-of-concept they call BioShocking: a malicious web page presenting a puzzle game (BioShock-themed) in which wrong answers are rewarded. Step by step, the game teaches the browser's AI agent that normal rules do not apply. The final "puzzle step" instructs the agent to visit a repository and copy out data — including passwords.

All six mainstream agentic browsers they tested fell for it: ChatGPT Atlas, Comet, Fellou, Genspark, Sigma and the Claude Chrome plugin. In LayerX's words, once the agents learned that "incorrect" actions were acceptable, they were no longer tied to reality — none of the six recognized that compromising user credentials went against its guardrails. As of publication, only OpenAI had shipped a working fix.

The core problem is not one bug. It is that an AI agent cannot reliably distinguish a fictional scenario from a real-world sensitive operation. Any page it reads is potential instruction.

AutoJack: from web page to code execution

Microsoft's own researchers demonstrated a second failure mode with AutoJack, an exploit chain in pre-release builds of AutoGen Studio. A malicious page loaded by a local AI agent could reach a privileged localhost service — which trusted anything local and skipped authentication on its MCP endpoints — and run an attacker-chosen command on the host. No credentials, no user interaction beyond the agent opening the page.

The lesson Microsoft itself draws is bigger than one product: once an agent can browse the open web and reach local services, localhost is no longer a trust boundary. Expect the same pattern in other agent frameworks.

What this means for your organization

Put the two together and the risk model becomes clear:

  • An AI browser or agent runs with your employee's identity and access — mailbox, SaaS sessions, internal apps.
  • Every web page it processes is untrusted input that can steer its behaviour, and guardrails demonstrably fail against creative framing.
  • If the agent also has local integrations, a page can potentially reach beyond the browser onto the machine.

That is not a reason for panic, but it is a reason for policy. The same questions you once answered for browser extensions and macros now apply to agents — with higher stakes.

A practical starting position

  • Decide, explicitly, whether AI browsers are allowed — and which ones. "Whatever employees install" is a decision too, just an unmanaged one.
  • Keep agents away from crown jewels. Do not let agentic sessions stay logged into banking, admin consoles, HR or production systems. Most platforms let you restrict which sites the agent may act on — use it.
  • Require confirmation for sensitive actions. Prefer products that force a human click before submitting forms, sending data or downloading files.
  • Isolate local agent tooling. Developer-side frameworks (AutoGen and friends) should not share a machine with an agent that browses untrusted content; separate them with containers or VMs and low-privilege accounts.
  • Add it to awareness training. Employees should understand that an AI browser acting "on their behalf" can be manipulated by the page it is reading.

Test your own AI attack surface

If your organization builds or deploys AI assistants, agents or LLM-backed features, the attack surface above is yours, not just the vendor's. Prompt injection, tool abuse and data exfiltration through model behaviour are exactly what an AI/LLM penetration test is designed to uncover — before a creative web page does it for you.

The honest summary of June's research: the agents did what they were told. The problem is who was doing the telling.


This article is general information based on public research by LayerX and Microsoft, as reported by BleepingComputer and The Hacker News.

Back to blog