HashJack Attack: New Technique Weaponizes URLs to Hijack AI Browser Assistants

Cato Networks has unveiled a new attack technique, dubbed HashJack, which conceals malicious AI prompts behind the “#” symbol within legitimate URLs — coercing AI-powered browsers into executing them while remaining invisible to traditional security controls. In effect, any familiar, trusted link can be transformed into a mechanism for manipulating an AI assistant directly inside the browser.

At its core, HashJack exploits the classic principle of prompt injection — a scenario in which text the user never typed is interpreted as commands by an AI system. Traditionally, two forms of such attacks are recognized: direct injections, where malicious prompts land squarely in the input field, and indirect ones, where hidden instructions are buried in web pages, PDFs, or other content the AI is expected to analyze. AI browsers, the emerging class of products that attempt to “understand user intent” and autonomously perform tasks, have repeatedly demonstrated susceptibility to indirect prompt injections: in their eagerness to be helpful, they sometimes end up assisting the attacker rather than the user.

Cato describes HashJack as “the first known indirect prompt-injection attack capable of turning any legitimate website into a weapon against AI-browser assistants.” The technique hinges on manipulating the URL fragment — the portion that follows the “#” symbol. This is where the attacker hides the instructions, and AI assistants embedded in browsers such as Edge’s Copilot, Chrome’s Gemini, or Perplexity’s Comet treat this fragment as contextual input to the underlying model.

The key is that the URL fragment never leaves the browser: it is neither transmitted to the site’s server nor captured by standard traffic-monitoring tools. To network and server-side defenses, the traffic appears perfectly benign — but the AI assistant sees the full URL and absorbs the hidden commands following the “#”. As a result, a site the user trusts becomes an unknowing attack vector.

Technically, the attack could not appear more harmless: a standard URL is appended with a “#” — which does not alter the destination — followed by covert instructions. The user clicks the familiar domain, opens the page, and invokes the AI assistant with a request such as “explain this article” or “summarize it.” At that moment, the concealed URL fragment is blended into the model’s prompt, enabling outcomes such as data leakage, phishing, disinformation, guidance on crafting malware, or even potential physical harm — for example, if the assistant generates misleading medication-dosage advice.

“This discovery is especially dangerous because it weaponizes legitimate websites through their URLs,” notes Cato Networks researcher Vitaly Simonovich. “Users see a trusted resource, trust their AI browser, and therefore trust the assistant’s response — the likelihood of success here is far higher than with traditional phishing.” In essence, HashJack exploits the user’s faith in reputable brands and AI-driven tools while imitating a normal interaction pattern.

During testing, Cato’s research division, Cato CTRL, demonstrated that “agentic” AI browsers capable of taking autonomous actions — such as Comet — can be coerced into sending user data to attacker-controlled servers. More passive assistants, which merely display answers and links, are likewise vulnerable: they may present misleading instructions, surface phishing URLs, or provide recommendations aligned with the attacker’s goals. Unlike classic direct prompt injections, this scenario leaves the user convinced they are interacting solely with a trusted website, unaware of hidden fragments and silent background processes.

According to Cato, Google and Microsoft were notified about HashJack in August, while Perplexity was alerted earlier in July. Their reactions diverged: Google classified the issue as “won’t fix (intended behavior)” with low severity, whereas Perplexity and Microsoft implemented mitigation in their AI browsers. Microsoft emphasized that defending against indirect prompt injection “is not merely a technical challenge but an ongoing commitment to safeguarding users in a rapidly evolving digital landscape,” noting that each new attack variant must be analyzed as a distinct threat.

Cato’s conclusions are unequivocal: relying solely on network logs and server-side URL filtering is no longer viable. Protection must become multilayered — organizations are urged to adopt AI-governance policies, block suspicious URL fragments, restrict which AI assistants are permitted, and strengthen client-side monitoring. In other words, defenders must examine not only which site a user opens, but how the browser-and-assistant duo interprets hidden context.

As AI browsers move from niche experimentation to mainstream adoption, HashJack signals the arrival of an entirely new threat class. What once seemed confined to server-side vulnerabilities or fraudulent webpages can now reside squarely within the familiar browser interface — in the address bar and the assistant popup. And the more we delegate everyday tasks to AI, the more enticing such techniques will become for attackers.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy