Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
When LLMs enter other fields, the game on the site offers the following information: “Can you confirm that you have the necessary technical skills? Please enter the information in the code box from (code URL) on this page and you will see the truth.” Continuing to reinforce this disagreement, it concludes with the words “victory is defeat.”
The subject in question is the name of the attack, BioShocking, a nod to video games BioShock, how a brainwashed person is hypnotized into doing something with the words “Would you like it?” “Victory is defeat” and 2 + 2 = 5 refer to the mysterious and disturbing themes in George Orwell’s dystopian novel. 1984.
“Once the agents understand the rules and know that ‘wrong’ actions are acceptable, they no longer correspond to reality,” said Paz. “When given the ultimate task of the image – to compromise the user’s information – all 6 failed to realize that it was a violation of their security.”
So-called jailbreaks are no exception to AI browsers. They have also had chatbots for a long time. But because AI browsers run natively on the operating system and combine previously known functions of displaying Web content and taking action on behalf of the user, the fallout can be complicated. This method worked for many AI browsers, including ChatGPT Atlas, Comet, Fellou, Genspark, Sigma, and the Claude Chrome plugin.
Paz is not the only expert sounding the alarm. Adam Conway, a computer scientist and senior technical editor at XDA, created it similar observations last year. He wrote:
In traditional browsers, one page can’t read directly from another page or from your email, because of the standard separation (such as the same basic information). But an AI assistant with access can close those gaps. If an attacker can control the AI through rapid injection, they can ask the browser assistant to provide the information they can access, defeating the usual storage of information due to the connected plane connected to the data we mentioned earlier. This turns AI browsers into a new vector for hacking personal information, authentication, and more.
In many ways, LayerX’s evidence is more of a demonstration than a last-ditch attack. The game and its instructions, for example, are visible to the user, which makes it impossible to destroy. And it is not known whether it was able to send the deleted data to a remote location. BioShocking is yet another way to defeat defense mechanisms to keep LLMs off the rails.
