Security researchers at Cato CTRL have discovered a new indirect prompt injection technique called HashJack, which weaponises legitimate websites to manipulate AI browser assistants.
The attack conceals malicious instructions after the “#” symbol within trusted URLs, enabling threat actors to conduct a wide range of attacks without compromising any website.
How HashJack Works
The technique exploits a fundamental design flaw in how AI browsers handle URL fragments. When users visit a URL containing hidden prompts after the “#” symbol, the AI browser sends the whole URL, including the fragment, to its AI assistant.
Since URL fragments never leave the client-side, traditional network and server defences cannot detect them.
This creates a dangerous blind spot. Server logs only record the clean base URL, and intrusion detection systems cannot see the malicious payload.
Even security-conscious users are fooled because the AI assistant’s suggestions appear native to the trusted website they are visiting.
Google classified the issue as “Won’t Fix (Intended Behaviour)” despite acknowledging the report. Microsoft responded promptly and applied a fix within two months of disclosure.
Six Attack Scenarios Identified
According to Cato Networks, researchers outlined six dangerous scenarios enabled by HashJack.
These include callback phishing, where fake support numbers appear in AI responses; data exfiltration in agentic browsers like Comet; and misinformation through fabricated financial news.
Cato CTRL tested HashJack against three major AI browsers:
| AI Browser | Vendor | Status |
| Comet | Perplexity | Fixed (November 18, 2025) |
| Copilot for Edge | Microsoft | Fixed (October 27, 2025) |
| Gemini for Chrome | Unresolved |
The technique also enables malware guidance with step-by-step installation instructions, medical harm through dangerous dosage misinformation, and credential theft via injected login links.
The agentic capabilities of Perplexity’s Comet browser proved especially concerning.
During testing, the browser automatically sent user data, including account names, transaction history, and contact details, to attacker-controlled endpoints.
HashJack represents a significant shift in the AI threat landscape. Unlike traditional phishing attacks that rely on fake websites, this technique abuses user trust in legitimate domains.
Any website can be weaponised without being compromised. The attacker needs to share a crafted URL containing the malicious fragment.
As AI browser assistants gain access to sensitive data and system controls, the risk of context manipulation will continue growing.
Security experts urge AI browser vendors to implement robust defences before widespread adoption makes these attacks inevitable in real-world scenarios.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
