Imagine your AI assistant, the one you trust to browse the web and answer your questions, is being secretly manipulated. It sounds like science fiction, but a newly discovered technique called 'HashJack' makes it a reality, potentially turning your helpful AI companion into a tool for spreading misinformation or even stealing your data. This isn't just a theoretical threat; it's a real vulnerability affecting popular AI assistants like Perplexity AI's Comet, Microsoft's Copilot for Edge, and Google's Gemini for Chrome.
Cato Networks Ltd.'s Cato CTRL threat research team has unveiled this innovative indirect prompt injection technique. In essence, HashJack allows attackers to inject malicious instructions into AI browser assistants using seemingly harmless URLs. But here's where it gets controversial... this isn't about hacking websites directly. Instead, it leverages a subtle loophole in how these AI assistants process web pages.
So, how does this 'HashJack' work? The magic (or rather, the mischief) happens within the URL itself. Specifically, it exploits the part of the URL that comes after the '#' symbol, known as the 'fragment'. This fragment is typically used to jump to a specific section within a webpage. The clever part is that this fragment never leaves your browser; it's not sent to the web server or logged by network tools. And this is the part most people miss... Because AI assistants also access the content of the URL fragment, attackers can hide malicious prompts or instructions inside this fragment. When the AI assistant analyzes the page content, it unwittingly incorporates these hidden instructions into its understanding of the page.
Think of it like this: you ask your AI assistant for information about a product, and it consults a website. Unbeknownst to you, the URL contains a hidden instruction that tells the AI to recommend a fake product or redirect you to a phishing site. The AI, believing it's acting on legitimate information, carries out the attacker's wishes.
The implications are significant. Cato CTRL's research details six specific attack scenarios enabled by HashJack, including:
- Callback Phishing: Tricking the AI into displaying fake login prompts or requesting sensitive information.
- Data Exfiltration: Instructing the AI to secretly send user data (like account details or email addresses) to attacker-controlled servers. This is especially concerning with agentic AIs that can perform actions autonomously.
- Misinformation: Spreading false or misleading information by manipulating the AI's responses.
- Malware Guidance: Guiding users towards downloading malicious software.
- Medical-Related Harm: Providing incorrect or dangerous medical advice.
- Credential Theft: Stealing usernames and passwords by redirecting users to fake login pages.
During testing, Perplexity's Comet browser demonstrated a high degree of vulnerability due to its agentic capabilities. Comet could automatically act on the hidden instructions, even to the extent of transmitting user context to malicious servers. Copilot for Edge and Gemini for Chrome also exhibited exploitable behaviors, although they included some security measures that partially mitigated the risk. But here's where it gets controversial... While these measures reduced the danger, they didn't eliminate it entirely, highlighting that these AI assistants were still susceptible to manipulation.
Before going public, Cato CTRL responsibly disclosed its findings to Perplexity, Microsoft, and Google. Perplexity addressed the issue with a fix in November, recognizing the severity of the threat. Microsoft also confirmed the behavior and implemented a fix in late October, emphasizing its broader, layered security strategy against indirect prompt injection. However, and this is the part most people miss... Google classified the behavior as 'intended' and chose not to fix it, leaving Gemini for Chrome potentially vulnerable.
The researchers emphasize that HashJack reveals a fundamental design flaw in AI browsers. These browsers routinely pass full URLs, including fragments, to their embedded AI assistants without proper sanitization. Because users trust the websites they visit and rely on AI assistants for accurate information, manipulated output can easily appear legitimate, making the attack particularly insidious.
“Cato CTRL’s findings highlight the urgent need for security frameworks that address both prompt injection risks and weaknesses in AI browser design,” the report concludes. “As AI browser assistants gain access to sensitive data and system controls, the risk of context manipulation will only grow. AI browser vendors and security experts must act now, before widespread adoption makes these attacks inevitable in the real world.”
This news follows a recent warning from SquareX Ltd. about a hidden API in Perplexity's Comet browser that could allow extensions to execute local commands and gain complete control over users' devices, further highlighting the emerging security challenges with AI-powered browsers.
So, what do you think? Is Google right to classify this as 'intended behavior,' or should they prioritize user safety and implement a fix? Are we putting too much trust in AI assistants without fully understanding the potential risks? Share your thoughts in the comments below.
