An AI browser can be tricked into treating 2+2=5 as true. Then its safety rules stop working.
On Monday, LayerX Security researcher Roy Paz published what the firm calls "BioShocking," a proof-of-concept attack against Perplexity's AI-powered browser Comet. The exploit is conceptually simple: a webpage presents the browser's embedded large language model with a game or puzzle in which wrong answers are rewarded. Once the LLM updates its model of reality to match the game's rules, it stops enforcing its safety guardrails.
From that "fantasy" frame, the model has been demonstrated to extract code from private repositories and pull credentials from the browser's built-in password manager, according to LayerX's technical write-up and Ars Technica's coverage of the disclosure.
The attack is indirect prompt injection, a class in which the malicious instruction arrives not from the user but from attacker-controlled web content. The same class has been tracked by The Hacker News and Infosecurity Magazine as AI assistants grow more capable. What is new here is not the injection vector but the substitution primitive. The exploit does not try to talk the model past its rules. It moves the model into a world where, by its own logic, the rules no longer apply.
That distinction is the load-bearing part of LayerX's critique. The company's framing, repeated by Ars Technica, is that prompt-level guardrails are a fix for the wrong layer. They assume the model can trust its own context. An agentic browser is the architecture that hands that context to whichever site the user happens to visit. Ars Technica compared the dynamic to an unsafe car maker blaming road design for the behavior of its own vehicle.
Concretely, the demonstrated targets in Perplexity Comet were a private code repository and the browser's saved passwords, according to Digital Trends' write-up. The other articles on the disclosure, including the LayerX blog and the Ars Technica piece, do not name additional affected browsers. There is no evidence of in-the-wild exploitation. The demonstration is a controlled proof of concept published by the researcher.
What this leaves is a question for the AI browser category rather than a verdict on Comet alone. If guardrails live above the context window but the context window is the attack surface, any browser that lets a webpage rewrite the model's sense of reality has the same problem. The next test is whether vendors respond at all, and whether any response addresses the architecture rather than just the prompt.