{"id":5959,"date":"2025-11-27T00:12:30","date_gmt":"2025-11-27T00:12:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5959"},"modified":"2025-11-27T00:12:30","modified_gmt":"2025-11-27T00:12:30","slug":"ai-browsers-can-be-tricked-with-malicious-prompts-hidden-in-url-fragments","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5959","title":{"rendered":"AI browsers can be tricked with malicious prompts hidden in URL fragments"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Researchers have demonstrated another indirect prompt injection attack against AI-powered browsers and browser assistants that could lead to phishing, sensitive data exfiltration, credential theft, or malware downloads. The attack, dubbed HashJack, relies on rogue prompts added to URLs after the hash (#) symbol, also known as a named anchor or URL fragment.<\/p>\n

\u201cHashJack is the first known indirect prompt injection that can weaponize any legitimate website to manipulate AI browser assistants,\u201d researchers from Cato Networks said in the report<\/a>. \u201cAs a result, AI browsers \u2014\u00a0 including Comet (Perplexity), Copilot for Edge (Microsoft), and Gemini for Chrome (Google) \u2014 can be used to enable a wide range of malicious attacks.\u201d<\/p>\n

A client-side attack<\/h2>\n

The # character inside a URL has multiple uses: The portion after it tells the browser to jump to a specific section of the loaded page; it can tell JavaScript code on the page what to display in an in-page dynamic navigation scenario; or it can be used to save state information about the user interface, such as user-selected options.<\/p>\n

One important aspect is that URL fragment data is never sent to the web server or over the network. It\u2019s only meant for the browser or the code already loaded on the client side. And it turns out that since AI browser assistants are designed to analyze the currently open website for context, they also read the URL fragments passed after #, and these can hide malicious prompts.<\/p>\n

The client-side nature of this attack means traditional network defenses, such as IPS\/IDS and network firewalls, can\u2019t detect it. Server logs don\u2019t capture the portion of URLs after # because it\u2019s never sent to the server, and browser defenses like Content Security Policy (CSP) don\u2019t trigger because nothing on the actual web page is changed.<\/p>\n

Tricking users into clicking poisoned links<\/h2>\n

HashJack is essentially a social engineering attack because it relies on tricking users to click on specially crafted URLs inside emails, chats, websites, or documents. However, this attack can be highly credible because it points to legitimate websites.<\/p>\n

For example, imagine a spoofed email that claims to be from a bank advising customers about suspicious activity in their accounts. Hovering over the link included in the email shows that it points to the bank\u2019s real website, HTTPS and everything, but it\u2019s a long link and somewhere in it there\u2019s the # character followed by a prompt for the AI assistant.<\/p>\n

Many users are likely to trust such a message since it points to the real bank\u2019s website and because long links with a lot of parameters and paths in them are not unusual. But the prompt that follows the # symbol will cause the AI browser assistant to provide attacker-altered instructions to the user, such as calling an attacker-controlled phone number or WhatsApp link for further customer support about the supposed situation.<\/p>\n

In another scenario, a prompt included in the link can tell an AI browser that acts like an agent \u2014 \u00a0for example, Perplexity\u2019s Comet \u2014 \u00a0to take information about the user\u2019s account, transaction history, phone number, and so on from the opened bank site and append it as parameters in a request to the attacker\u2019s server.<\/p>\n

Other attacks could involve the prompt causing the AI assistant to display fake information that would mislead the user: fake investment advice promoting a certain stock, fabricated news, dangerous medical advice like wrong doses for medicine, malicious instructions that could open a backdoor on the computer, instructions to re-authenticate that include a link to a phishing site, a link to download malware, and so on.<\/p>\n

URL fragments cannot modify page content. They are only used for in-page navigation using the code that\u2019s already there, so they are normally harmless. However, it now turns out that they can be used to modify the output of in-browser AI assistants or agentic browsers, which gives them an entirely new risk profile.<\/p>\n

\u201cThis discovery is especially dangerous because it weaponizes legitimate websites through their URLs,\u201d the researchers said. \u201cUsers see a trusted site, trust their AI browser, and in turn trust the AI assistant\u2019s output-making the likelihood of success far higher than with traditional phishing.\u201d<\/p>\n

Different behavior across AI assistantsThe impact was different between the tested AI assistants and across the various scenarios. For example, while prompt injections managed to influence the text output on all the products tested, injecting malicious links proved harder on Gemini Assistant for Chrome, where some links were rewritten as search URLs, and on Edge with Microsoft Copilot, which prompted for additional confirmation when clicking on links in messages.<\/p>\n

Perplexity\u2019s Comet, which is an agentic browser that does more than a built-in AI assistant, was the most susceptible one because it also could fetch attacker URLs in the background, with context information attached as parameters.<\/p>\n

Microsoft and Perplexity deployed fixes, but Google did not consider the HashJack technique a vulnerability because it views this as part of intended behavior. It\u2019s worth noting that Cato also tested Claude for Chrome and OpenAI\u2019s Operator browser, but the HashJack technique didn\u2019t work on them.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Researchers have demonstrated another indirect prompt injection attack against AI-powered browsers and browser assistants that could lead to phishing, sensitive data exfiltration, credential theft, or malware downloads. The attack, dubbed HashJack, relies on rogue prompts added to URLs after the hash (#) symbol, also known as a named anchor or URL fragment. \u201cHashJack is the […]<\/p>\n","protected":false},"author":0,"featured_media":5960,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5959","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5959"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5959"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5959\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5960"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}