Security researchers at Cato Networks identified a new indirect prompt injection technique called HashJack, which can force popular AI browsers and assistants to deliver phishing links, medication dosage misinformation or investment advice, send sensitive data to attackers, or induce users to perform risky actions. The technique gets its name because it relies on malicious instructions hidden in the URL fragment (the part after the "#" symbol) that points to a legitimate and seemingly harmless website.

The attack works when a specially crafted URL is shared via email, social media, or embedded in web pages. After the victim loads the page and asks any question to the AI browser or assistant, the system incorporates the fragmented instructions into its response, adding clickable links, providing supposedly helpful steps, or, in agentic modes, making background requests. The malicious instructions can be obfuscated to avoid suspicion, even for users who check links before clicking.

The researchers tested the technique against Perplexity's Comet browser and OpenAI's Atlas, as well as Microsoft's Copilot for Edge, Google's Gemini for Chrome, and Claude for Chrome. HashJack did not work on Claude for Chrome or Atlas, but was effective on the other three tested systems. The vulnerability exists because AI browsers and assistants have privileged access to the page state, turning any unverified context passed to the assistant into a potential threat vector. In agentic browsers like Comet, the attack can escalate further, with the assistant automatically sending user-entered data on web pages to attacker-controlled endpoints.

Following responsible disclosure of the findings by Cato Networks to Google, Microsoft, and Perplexity, the latter two companies created and deployed fixes. The solutions were included in Comet v142.0.7444.60 with Perplexity build 28106 and in Edge v142.0.3595.94 with Copilot. Google classified HashJack as "intended behavior," claiming it does not treat model output control, deceptive responses, or harmful instructions as security vulnerabilities, describing the effect as social engineering rather than a security boundary breach. Widespread exploitation of this flaw is unlikely, since HashJack is a multi-step process that depends on users interacting with the AI browser assistant, not just a simple link click.

This post was translated and summarized from its original version using AI, with human review.

With information from Help Net Security