Sign in Subscribe

AI Browsers Can Be Tricked Using the "#" Symbol

AI Browsers Can Be Tricked Using the "#" Symbol

Researchers from Cato Networks have discovered a new attack method targeting AI browsers called HashJack. The technique uses the "#" symbol in URLs to inject hidden commands that AI assistants execute, bypassing traditional security measures.

How HashJack Works

The HashJack attack exploits a fundamental characteristic of web URLs: the portion of a web address following the "#" symbol (the URL fragment) never leaves the browser and is not transmitted to the server. Attackers can append a "#" symbol to the end of a legitimate URL and place malicious prompts for the AI after it.

When a user interacts with the page through a built-in AI assistant—such as Copilot in Edge, Gemini in Chrome, or the Comet browser from Perplexity—these hidden instructions are processed by the language model and executed as if they were legitimate commands.

Experts describe this as "the first known indirect prompt injection capable of turning any legitimate website into an attack vector."

Demonstrated Exploitation Scenarios

In their tests, researchers demonstrated several HashJack exploitation methods. AI browsers with agent-like capabilities (such as Comet) could be manipulated into transmitting user data to attacker-controlled servers. Other AI assistants could be tricked into displaying phishing links or providing misleading instructions.

The potential consequences include data theft, phishing, disinformation campaigns, and even physical harm—for instance, if the AI provided incorrect medication dosage recommendations.

"This is especially dangerous because the success probability is much higher than with traditional phishing. Users see a familiar site and completely trust the AI assistant's responses," explains Cato Networks researcher Vitaly Simonovich.

Vendor Responses Vary

The researchers notified Perplexity developers of their finding in July, and Google and Microsoft in August. The responses varied significantly: Google classified the issue as "expected behavior," assigned the vulnerability a low severity rating, and declined to implement fixes. Microsoft and Perplexity, however, released patches for their browsers.

Microsoft representatives noted that the company views protection against indirect prompt injections as a "continuous process" and is thoroughly researching each new variant of such attacks.

Defense Requires New Approaches

In their report, researchers emphasize that traditional security methods cannot defend against HashJack attacks. Addressing these vulnerabilities requires a multi-layered defense strategy that includes managing and controlling AI tool usage, blocking suspicious URL fragments on the client side, restricting permitted AI assistants, and carefully monitoring browser activity with AI features.

In practical terms, organizations must now analyze not just the websites themselves, but the "browser + AI assistant" combination that processes hidden context. For M&A due diligence teams and legal professionals who increasingly rely on AI-powered research tools, this vulnerability introduces new risks when investigating target companies or gathering intelligence—malicious actors could manipulate AI assistants to provide false information or exfiltrate sensitive research data through seemingly legitimate websites.