Safety researchers at Cato CTRL have found a brand new oblique immediate injection method known as HashJack, which weaponises legit web sites to control AI browser assistants.
The assault conceals malicious directions after the “#” image inside trusted URLs, enabling menace actors to conduct a variety of assaults with out compromising any web site.
How HashJack Works
The method exploits a basic design flaw in how AI browsers deal with URL fragments. When customers go to a URL containing hidden prompts after the “#” image, the AI browser sends the entire URL, together with the fragment, to its AI assistant.
The assault chain
Since URL fragments by no means go away the client-side, conventional community and server defences can not detect them.
This creates a harmful blind spot. Server logs solely file the clear base URL, and intrusion detection methods can not see the malicious payload.
Even security-conscious customers are fooled as a result of the AI assistant’s options seem native to the trusted web site they’re visiting.
Google categorized the difficulty as “Gained’t Repair (Meant Behaviour)” regardless of acknowledging the report. Microsoft responded promptly and utilized a repair inside two months of disclosure.
Six Assault Eventualities Recognized
In keeping with Cato Networks, researchers outlined six harmful eventualities enabled by HashJack.
These embrace callback phishing, the place pretend assist numbers seem in AI responses; knowledge exfiltration in agentic browsers like Comet; and misinformation via fabricated monetary information.
Cato CTRL examined HashJack in opposition to three main AI browsers:
AI BrowserVendorStatusCometPerplexityFixed (November 18, 2025)Copilot for EdgeMicrosoftFixed (October 27, 2025)Gemini for ChromeGoogleUnresolved
The method additionally permits malware steering with step-by-step set up directions, medical hurt via harmful dosage misinformation, and credential theft through injected login hyperlinks.
The agentic capabilities of Perplexity’s Comet browser proved particularly regarding.
Throughout testing, the browser robotically despatched consumer knowledge, together with account names, transaction historical past, and get in touch with particulars, to attacker-controlled endpoints.
HashJack represents a major shift within the AI menace panorama. Not like conventional phishing assaults that depend on pretend web sites, this system abuses consumer belief in legit domains.
Any web site could be weaponised with out being compromised. The attacker must share a crafted URL containing the malicious fragment.
As AI browser assistants achieve entry to delicate knowledge and system controls, the chance of context manipulation will proceed rising.
Safety specialists urge AI browser distributors to implement sturdy defences earlier than widespread adoption makes these assaults inevitable in real-world eventualities.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
