HashJack hides attack instructions after the "#" and AI browsers obey them
Cato Networks' research team disclosed HashJack on November 25, 2025, calling it the first known indirect prompt injection that can weaponize any legitimate website against AI browser assistants. The trick hides malicious instructions in a URL fragment - the part after the "#" - which browsers process only locally and never send to servers, so firewalls, intrusion systems and server logs never see the payload. When an AI assistant reads the page, it swallows the hidden instructions and can be steered into phishing, misinformation, malware guidance, bad medical advice, or, in agentic browsers like Perplexity Comet, actually exfiltrating user data. Microsoft and Perplexity shipped fixes. Google classified it for Gemini in Chrome as "won't fix - intended behavior."
Incident Details
Tech Stack
References
The part of the URL nobody watches
Every web address can carry a fragment: the bit after the "#" that browsers use to jump to a section of a page. It has a peculiar property that most people never think about and that turns out to matter a great deal. The fragment is processed entirely by your browser, on your machine. It is never sent to the web server. That means the security infrastructure sitting between you and the site - firewalls, intrusion-prevention systems, server-side logging - never sees it. As far as those defenses are concerned, the fragment does not exist.
Cato Networks' threat research group, Cato CTRL, realized that this blind spot is a perfect place to hide instructions for an AI. They named the resulting technique HashJack and disclosed it on November 25, 2025, describing it as the first known indirect prompt injection that can weaponize any legitimate website to manipulate AI browser assistants.
Weaponizing real websites
The elegance, if you can call it that, of HashJack is that it does not require compromising a website at all. The attacker takes a genuine, trusted URL - a real bank, a real news site, whatever - and simply appends malicious instructions after a "#". The link still points to the legitimate page. It still loads the legitimate page. A cautious user who inspects the domain sees a site they trust, because it is a site they trust. The poison is riding along in the fragment, invisible to the network and meaningless to the human.
The target is not the human, though. It is the AI browser assistant. When a user asks their in-browser AI to summarize the page, answer a question about it, or take some action, the assistant ingests the full URL, fragment included, into its working context. And there sit the attacker's instructions, which the model reads as part of what it is supposed to act on. The assistant cannot tell that the words after the "#" were placed there by an attacker rather than by the legitimate site; it processes them as instructions and does what they say.
What "what they say" can be
Cato demonstrated a range of abuse scenarios, and their severity scales with how much power the assistant has. On the milder end, with a passive assistant that only answers questions, HashJack could make it display misleading information, push malicious links, offer dangerous guidance - the researchers specifically flagged incorrect medical dosage advice as a possible harm - or serve as a convincing phishing lure, all while appearing to speak with the authority of a trusted site.
On the more alarming end, with an agentic browser that can actually take actions, the ceiling is higher. Cato showed that a browser like Perplexity's Comet could be commanded to exfiltrate user data to an attacker-controlled endpoint. When the AI can click, fill forms, and move data, an injected instruction stops being bad advice and becomes an action taken on the user's behalf, using the user's own authenticated session.
Why this is an AI problem, specifically
It would be easy to file HashJack under "another web bug," but that misses what actually fails. URL fragments have behaved this way forever; that is not the vulnerability. The vulnerability is that AI browser assistants read the whole URL into their reasoning context and cannot separate the legitimate part of the address from instructions an attacker hid in it. A regular browser does nothing dangerous with a fragment full of adversarial text. It is only when a language model ingests that text and treats it as a command that the exposure appears. The failure lives in the AI's inability to distinguish trusted content from injected instructions, which is the same core weakness behind every indirect prompt injection story on this site.
The vendor split, and Google's shrug
The disclosure produced a revealing divergence in how the affected companies responded. Cato notified Perplexity in July 2025 and Google and Microsoft in August. Microsoft (for Copilot in Edge) and Perplexity (for Comet) implemented fixes after disclosure. Google, for Gemini in Chrome, classified the issue as "won't fix - intended behavior" and marked it low severity.
That response is the part worth sitting with. Two vendors looked at the same technique and decided it warranted a patch. Google looked at it and decided that an AI assistant reading attacker-controlled instructions out of a URL fragment and potentially acting on them is working as designed. There is a defensible engineering argument buried in there - fragments are legitimately part of the page context, and drawing a clean line around what the assistant should ignore is genuinely hard - but "intended behavior" is a heavy label to put on a documented way to feed hidden commands to a browser assistant using nothing but a normal-looking link. It means that, absent a change of heart, the same trick that Microsoft and Perplexity considered worth closing remains open by design in one of the most widely used browsers on earth.
The takeaway
HashJack is a near-miss rather than a confirmed breach; the researchers demonstrated the exploit, and no mass exploitation has been reported. But it sharpens a point the AI browser era keeps making: giving a language model the ability to read and act on web pages means giving it the ability to read and act on whatever an attacker can smuggle into those pages, including the parts of a URL that no traditional defense inspects. The safe assumption for anyone using an in-browser AI assistant is that any link, however trustworthy the domain looks, might be carrying instructions meant for the machine and not for you.
Discussion