Skip to main content
AI Browser Steals Credentials on CommandIncident
3 min readFor Security Engineers

AI Browser Steals Credentials on Command

In October 2024, LayerX security researchers disclosed a prompt injection vulnerability named "BioShocking." This attack tricks AI-powered browsers into executing malicious actions by framing them as part of a fictional scenario. LayerX tested their proof-of-concept against six mainstream AI browser products, and only OpenAI implemented an effective fix.

What Happened

LayerX researchers found that AI browsers, which use large language models to automate web interactions, cannot reliably distinguish between fictional prompts and real-world instructions. The attack embeds malicious commands in web content disguised as creative writing or hypothetical examples. When an AI browser processes such a page, it interprets the fictional instructions as legitimate tasks, potentially exfiltrating credentials, modifying form data, or transmitting session tokens to attacker-controlled endpoints.

The vulnerability affects any AI browser that processes untrusted web content without explicit action confirmation.

Timeline

October 2024: LayerX informed affected vendors of the BioShocking vulnerability and provided technical details of their proof-of-concept.

Post-disclosure: OpenAI deployed a fix for ChatGPT Atlas. The other five vendors either did not respond or did not implement effective mitigations by the time of public disclosure.

Public disclosure: LayerX published their findings after giving vendors time to remediate.

Which Controls Failed or Were Missing

The BioShocking attack exploited three control failures:

Input validation failure: AI browsers did not distinguish between user-initiated commands and commands embedded in third-party web content.

Missing user confirmation: Browsers executed sensitive actions without requiring explicit user approval for each action.

Inadequate context isolation: AI models lacked a trust boundary between the user's intent and content from untrusted sources.

These are architectural decisions that prioritize automation over security.

What the Relevant Standards Require

OWASP ASVS v4.0.3 Requirement 5.2.1 states: "Verify that the application is designed to enforce authorization decisions on every request." AI browsers must treat external prompts as untrusted input requiring authorization before execution.

OWASP Top 10 2021 A03:2021 – Injection covers scenarios where untrusted data is sent to an interpreter as part of a command. Prompt injection is a variant of this attack class.

ISO/IEC 27001:2022 Control 8.3 requires that users understand security risks associated with new technologies. If you're deploying AI browsers, your team needs training on prompt injection risks.

NIST CSF v2.0 PR.DS-5 applies directly. An AI browser that exfiltrates credentials on command fails this control. You need technical measures to prevent unauthorized data disclosure.

The missing control here is user confirmation for state-changing actions. OpenAI's fix reportedly added explicit prompts before executing sensitive operations, aligning with OWASP ASVS Requirement 4.2.2.

Lessons and Action Items for Your Team

1. Inventory your AI browser deployments

List every AI-powered browser or tool that processes untrusted web content in your environment. Document the vendor, access capabilities, user confirmation requirements, and last security update check.

2. Require user confirmation for sensitive actions

Configure AI browsers to prompt for approval before submitting forms with credentials, making requests to external domains, modifying data, or accessing credential stores. Evaluate alternatives if your current tool doesn't support this.

3. Implement network segmentation

Run AI browsers in isolated network segments with egress filtering. Block outbound connections to personal file-sharing services, paste sites, URL shorteners, and newly registered domains.

4. Monitor for prompt injection patterns

Add detection rules for common prompt injection techniques in your web application firewall or proxy logs. Log AI browser activity separately to analyze anomalies.

5. Update your security awareness training

Add a module on AI browser risks. Train users to recognize when an AI browser is acting without explicit instruction.

6. Establish a vendor response SLA

Add security response requirements to your vendor contracts, including acknowledgment of vulnerability reports and fix deployment timelines.

7. Test your AI browsers

Build a simple test page with a prompt injection payload. Host it internally and test with your AI browser to see if it validates actions.

The BioShocking attack highlights a critical oversight in AI browser security: the inability to distinguish between fictional scenarios and real-world actions, which could lead to significant data breaches. Your controls need to assume that every webpage is hostile.

Topics:Incident

You Might Also Like