Security researchers at Cato CTRL have discovered a new indirect prompt injection technique called\u00a0HashJack, which weaponises legitimate websites to manipulate AI browser<\/a> assistants.<\/p>\n The attack conceals malicious instructions after the \u201c#\u201d symbol within trusted URLs, enabling threat actors to conduct a wide range of attacks without compromising any website.<\/p>\n The technique exploits a fundamental design flaw in how AI browsers handle URL fragments. When users visit a URL containing hidden prompts after the \u201c#\u201d symbol, the AI browser sends the whole URL, including the fragment, to its AI assistant.<\/p>\n Since URL fragments never leave the client-side, traditional network and server defences cannot detect them.<\/p>\n This creates a dangerous blind spot. Server logs only record the clean base URL, and intrusion detection systems <\/a>cannot see the malicious payload.<\/p>\n Even security-conscious users are fooled because the AI assistant\u2019s suggestions appear native to the trusted website they are visiting.<\/p>\n Google classified the issue as \u201cWon\u2019t Fix (Intended Behaviour)\u201d despite acknowledging the report. Microsoft responded promptly and applied a fix within two months of disclosure.<\/p>\n Six Attack Scenarios Identified<\/strong><\/p>\n According to Cato Networks<\/a>, researchers outlined six dangerous scenarios enabled by HashJack. <\/p>\n These include\u00a0callback phishing, where fake support numbers appear in AI responses;\u00a0data exfiltration\u00a0in agentic browsers like Comet; and\u00a0misinformation\u00a0through fabricated financial news.<\/p>\n Cato CTRL tested HashJack against three major AI browsers:<\/p>\nHow HashJack Works<\/strong><\/h2>\n
![\"The](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/11\/image.jpg?resize=752%2C355&ssl=1\")