AI-powered browsers and agents promise to take the drudgery out of web tasks. They can summarize pages, pull data from your accounts, and even act as a smart assistant that clicks and types for you. But new research shows that when those assistants lose track of what’s real and what’s just a game, your credentials and sensitive data could become collateral damage.

The prerogative of each attack type is to bypass one of the ground rules:

“LLMs are designed with safety guardrails that are meant to prevent harmful actions.”

Researcher Roy Paz devised and disclosed an attack he calls “BioShocking,” a technique that convinces AI browsers to abandon their safety guardrails by presenting them a fictional scenario as reality.

With this, BioShocking sits at the intersection of prompt injection and goal manipulation. Prompt injection works because AI models can’t tell the difference between the app’s instructions and the attacker’s instructions, so they sometimes follow the wrong ones. Goal-manipulation attacks subtly shift what the agent thinks it should optimize for, turning “help the user” into “win the game at all costs.”