Security researchers at Cato CTRL have uncovered HashJack. This innovative indirect prompt-injection attack hides harmful commands in the fragment portion of URLs after the “#” symbol.
This technique turns trusted websites into weapons against AI browser assistants like Perplexity’s Comet, Microsoft’s Copilot in Edge, and Google’s Gemini in Chrome.
How The Attack Unfolds
HashJack exploits a core web standard: URL fragments are processed entirely in the browser and never reach servers, evading IDS/IPS, CSP rules, and network logs.
When an AI browser loads the page and users interact with the embedded assistant say, by asking about services the full URL, including the hidden fragment, is added to the LLM’s context window.
This triggers injected instructions, altering responses seamlessly as if from the site itself.
The chain involves five steps: crafting the tainted URL, user navigation to the legitimate site, AI assistant activation with page context, fragment injection into the prompt, and malicious execution, such as link insertion or data extraction.
In agentic browsers like Comet (version 138.0.7204.158), it escalates: the AI can autonomously fetch attacker endpoints with scraped details such as account numbers or emails.
Non-agentic ones like Copilot (Edge 139.0.3405.102) and Gemini (Chrome 139.0.7258.128) still display phishing links or false information. However, Edge gates clicks, and Chrome often redirects to search results.
Indirect prompt injection differs from direct attacks by embedding commands in external data the model ingests, which poses a rising LLM risk because models lack isolation for untrusted inputs.
Cato tested on demo sites, confirming fragments bypass defenses because packets carry only the base URL.
Cato detailed six scenarios. Callback phishing injects fake support numbers (e.g., WhatsApp links) via queries like “new services?” Data exfiltration in Comet sends profile data to attackers during loan checks.
Misinformation fabricates stock surges; malware guides port openings or SSH key adds; medical pages push wrong dosages; credential theft prompts fake logins.
Disclosures started July 2025: Perplexity fixed by November 18 after Bugcrowd triage; Microsoft applied patches October 27 with defense-in-depth; Google deemed it “intended behavior” (S4 severity), unresolved as of November 25.
Cato’s SASE platform counters via CASB for AI restrictions, IPS for phishing, and NGAM for malware, despite the client-side nature.
This flaw underscores AI browsers’ reliance on complete URLs, requiring fragment sanitization.
As adoption grows Edge at 274 million users, Comet eyeing millions—prompt guards become essential.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.