On November 25, 2025, cybersecurity agency Cato Networks revealed HashJack, a brand new menace the place the straightforward pound signal (#) in an online handle (URL) hides malicious directions for AI browser assistants like Google’s Gemini, Microsoft’s Copilot, and Perplexity’s Comet.
The Vulnerability
HashJack is the primary of its sort instance of an oblique immediate injection approach, the place an attacker hides instructions in content material the AI will learn later, on this case, the URL itself. This permits HashJack to use how AI assistants learn the complete URL, together with the part after the # (the URL fragment), which net servers usually ignore.
This permits unhealthy actors to weaponise any professional web site with out hacking the location itself. As Cato Networks’ senior safety researcher Vitaly Simonovich explains, the weak spot is within the AI assistant’s dealing with of the URL. Since customers belief the professional website, they belief the AI’s manipulated recommendation.
The hidden instructions can result in quite a lot of malicious actions, together with tricking customers into revealing their login particulars (credential theft) and even giving false health-related recommendation (medical hurt). Extra regarding is that, in superior agentic modes (the place the AI performs duties routinely), the assistant will be instructed to steal delicate consumer knowledge (knowledge exfiltration) by fetching an attacker’s URL within the background.
Moreover, the AI will be guided to present step-by-step directions for dangerous technical duties, equivalent to opening system ports or downloading a package deal that’s really malware. Researchers additionally famous that in some superior AI browsers, like Perplexity’s Comet, the assault may even escalate to the AI assistant routinely fetching and sending consumer knowledge to an exterior handle.
Blended Response from Tech Giants
The Cato Networks menace analysis crew disclosed their findings to the affected firms beginning in July and August of 2025. Microsoft responded shortly, making use of a repair for Copilot for Edge on October 27. Perplexity additionally utilized a repair for his or her Comet browser by November 18, 2025.
Google, nonetheless, has not but resolved the difficulty for Gemini in Chrome. The report was marked by Google Abuse VRP / Belief & Security in October 2025 as “Received’t Repair (Meant Behaviour)” with a low severity score. It’s value noting that the difficulty remained unresolved on the time the analysis was revealed.
The findings from Cato CTRL™ Risk Analysis, shared completely with Hackread.com, introduce a brand new class of AI safety danger as a result of malicious instructions are hidden in URL fragments, bypassing conventional firewalls. This discovery reminds the trade that, as AI assistants deal with delicate knowledge, distributors should urgently repair flaws in AI design to forestall future context manipulation assaults.
