
Most of us have had a worrying sense that AI could take us somewhere we'd rather not go if the wrong people got hold of it.
We've already seen ChatGPT produce hallucinatory responses, watched YouTubers expose the unsettling answers jailbroken AI systems can give and seen reports of rogue AI acting without human authorisation to mine cryptocurrency.
Now, researchers have uncovered a new method that can trick AI browsers into abandoning their guardrails entirely by constructing a false reality around them where the rules are invented and actions carry no consequences.

Advert
In a new study, cybersecurity firm LayerX revealed the dangers of weaving autonomous AI agents into internet software.
The researchers showed that AI browsers, including OpenAI's ChatGPT Atlas, Perplexity AI's Comet, and Anthropic's Claude plugin for Google Chrome, could all be manipulated into executing commands they would normally refuse. In theory, this would give a hacker the ability to change a user's password, install malware, and steal personal information.
Under normal circumstances, an AI browser operates on the assumption that 'its context is real' and that its behaviour must stay within its 'safety guardrails,' the researchers noted. However, if the AI can be convinced that its context is a 'fantasy,' the AI feels free to do as it pleases.
The researchers have named the technique 'BioShocking,' in reference to the 2007 video game BioShock, in which the protagonist is hypnotised into carrying out actions against their will by a specific phrase.

The researchers built a proof-of-concept page filled with BioShock-themed puzzles that reward the tech for giving intentionally wrong answers, such as treating 2+2 = 5. This gradually conditions the AI into accepting that incorrect or harmful actions are fair game, effectively untethering it from reality.
So in a real-world example, a user could visit what looks like a normal web page but is in fact hidden with malicious prompts designed to pull the AI browser into the trap, a technique known as prompt injection. From that point, the AI can be steered almost anywhere.
"In a real attack scenario, that redirect could point anywhere in the user's browser session - open tabs, authenticated repositories, internal tools," the researchers added.
The hack does happen quite noticeably in the browser window, though, so an attentive user could spot something wrong before any damage is done. But the fact is most people are not watching their AI assistant's every move.