Three independent security research teams published warnings about AI-powered browsers in under four months, with multiple leading vendors declining to act on the findings.
The most recent disclosure, published June 29, 2026 by cybersecurity firm LayerX, demonstrated a technique called BioShocking that tricked six agentic browsers, which use embedded AI to execute tasks autonomously, into surrendering user credentials by bypassing their safety guardrails.
The affected platforms included OpenAI’s ChatGPT Atlas, Perplexity AI’s Comet, Anthropic’s Claude Chrome plugin, Fellou, Genspark Browser, and Sigma Browser. Only one of the six vendors acted on the disclosure.
The attack works by presenting the browser’s embedded large language model (LLM) with a puzzle that rewards intentionally wrong answers. Once the LLM processes that incorrect responses are valid, it stops enforcing its safety restrictions.
“Once the agents figured out the rules and learned that ‘incorrect’ actions are acceptable, they were no longer tied to reality,” LayerX researcher Roy Paz wrote. “When tasked with compromising user credentials, all six agents failed to identify it as going against their safety guardrails.”
A separate University of Washington study, also released in late June, found that four of seven tested agentic browsers could be manipulated to bypass the same-origin policy (SOP), a core web security protocol in place since 1995.
The team ran a successful proof-of-concept attack on ChatGPT Atlas and found the same conditions in Chrome with Gemini, Claude for Chrome, and Perplexity Comet. Perplexity AI and OpenAI declined the report. Anthropic did not respond.
“After 30 years of building up this same-origin policy, this is a big step back for browser security,” said UW Professor Franziska Roesner.
Both findings follow a March 2026 Zenity Labs disclosure identifying PleaseFix, a separate family of vulnerabilities in Perplexity’s Comet browser that allowed credential theft through prompt injection and was subsequently patched by the vendor prior to release.







