HashJack Indirect Prompt Injection Targets AI Browser Assistants

by Justin Erickson

Researchers at Cato Networks have detailed a new attack technique called HashJack that uses indirect prompt injection against AI powered browsers and assistants. The method hides malicious instructions in the URL fragment, the part after the “#” symbol. Web servers ignore this fragment, so the underlying page remains legitimate, but AI assistants that receive the full URL can read and follow the hidden prompt. HashJack was demonstrated against assistants in Copilot for Microsoft Edge, Gemini for Google Chrome, and Perplexity for Comet. In tests, the attack was able to make AI tools send sensitive page data to attacker-controlled endpoints, enable callback phishing, exfiltrate data, deliver misleading and harmful guidance, and steal credentials – all while the user sees a normal site on a trusted domain. Any site can be weaponized in this way without being compromised, as long as victims are lured to a malicious URL. This highlights weaknesses in current AI browser designs, which often treat the full URL and page context as trusted input. Even if AI guidance seems trustworthy, always double check sources yourself, and be very wary of clicking unsolicited and sketchy links. As of November 25th, Perplexity and Microsoft have applied fixes for their Comet and Copilot, but Gemini for Chrome remains unresolved as Google has classified the issue “Won’t Fix (Intended Behaviour)”. To mitigate risk for Gemini, f5 recommends “…use enterprise policies (GPO, MDM) to disable the Gemini AI assistant feature in all corporate Google Chrome browsers…”