Hashtag-do-whatever-I-tell-you
Cato Networks says it has discovered a new attack, dubbed "HashJack," that hides malicious prompts after the "#" in legitimate URLs, tricking AI browser assistants into executing them while dodging traditional network and server-side defenses.
Prompt injection occurs when something causes text that the user didn't write to become commands for an AI bot. Direct prompt injection happens when unwanted text gets entered at the point of prompt input, while indirect injection happens when content, such as a web page or PDF that the bot has been asked to summarize, contains hidden commands that AI then follows as if the user had entered them. AI browsers, a relatively new type of web browser that uses AI to try and guess user intent and take autonomous actions, have so far proven to be particularly vulnerable to indirect prompt injection – in their quest to be helpful, they sometimes end up helping attackers rather than end users.
Cato describes HashJack as "the first known indirect prompt injection that can weaponize any legitimate website to manipulate AI browser assistants." It outlines a method where actors sneak malicious instructions into the fragment part of legitimate URLs, which are then processed by AI browser assistants such as Copilot in Edge, Gemini in Chrome, and Comet from Perplexity AI. Because URL fragments never leave the AI browser, traditional network and server defenses cannot see them, turning legitimate websites into attack vectors.
REG AD
The new technique works by appending a "#" to the end of a normal URL, which doesn't change its destination, then adding malicious instructions after that symbol. When a user interacts with a page via their AI browser assistant, those instructions feed into the large language model and can trigger outcomes like data exfiltration, phishing, misinformation, malware guidance, or even medical harm – providing users with information such as incorrect dosage guidance.
REG AD
"This discovery is especially dangerous because it weaponizes legitimate websites through their URLs. Users see a trusted site, trust their AI browser, and in turn trust the AI assistant's output – making the likelihood of success far higher than with traditional phishing," said Vitaly Simonovich, a researcher at Cato Networks.
In testing, Cato CTRL (Cato's threat research arm) found that agent-capable AI browsers like Comet could be commanded to send user data to attacker-controlled endpoints, while more passive assistants could still display misleading instructions or malicious links. It's a significant departure from typical "direct" prompt injections, because users think they're only interacting with a trusted page, even as hidden fragments feed attacker links or trigger background calls.
Cato's disclosure timeline shows that Google and Microsoft were alerted to HashJack in August, while the findings were flagged with Perplexity in July. Google classified it as "won't fix (intended behavior)" and low severity, while Perplexity and Microsoft applied fixes to their respective AI browsers.
"At Microsoft, we understand that defending against indirect prompt injection attacks is not just a technical challenge, it's an ongoing commitment to keeping our users safe in an ever-changing digital landscape," Redmond said in a statement. "Our security team is always on the lookout for new variants, treating each one as a unique scenario that deserves a thorough investigation. By maintaining this vigilant stance, we ensure that our products continue to meet the highest standards of security."
Cato's findings show that security teams can no longer rely solely on network logs or server-side URL filtering to catch emerging attacks. Cato suggests layered defenses, including AI governance, blocking suspicious fragments, restricting which AI assistants are permitted, and monitoring the client side. The shift means organizations need to look past the website itself and into how the browser + assistant combo handles hidden context.
With AI browsers on the cusp of mainstream usage, HashJack warns that a class of threats long confined to server vulnerabilities and phishing websites may now live inside the browsing experience itself. ®