On November 25, 2025, cybersecurity agency Cato Networks revealed HashJack, a brand new menace the place the easy pound signal (#) in an online handle (URL) hides malicious directions for AI browser assistants like Google’s Gemini, Microsoft’s Copilot, and Perplexity’s Comet.
The Vulnerability
HashJack is the primary of its form instance of an oblique immediate injection method, the place an attacker hides instructions in content material the AI will learn later, on this case, the URL itself. This enables HashJack to use how AI assistants learn the complete URL, together with the part after the # (the URL fragment), which internet servers usually ignore.
This enables dangerous actors to weaponise any official web site with out hacking the location itself. As Cato Networks’ senior safety researcher Vitaly Simonovich explains, the weak spot is within the AI assistant’s dealing with of the URL. Since customers belief the official web site, they belief the AI’s manipulated recommendation.
The hidden instructions can result in quite a lot of malicious actions, together with tricking customers into revealing their login particulars (credential theft) and even giving false health-related recommendation (medical hurt). Extra regarding is that, in superior agentic modes (the place the AI performs duties mechanically), the assistant may be instructed to steal delicate consumer information (information exfiltration) by fetching an attacker’s URL within the background.
Moreover, the AI may be guided to present step-by-step directions for dangerous technical duties, corresponding to opening system ports or downloading a bundle that’s truly malware. Researchers additionally famous that in some superior AI browsers, like Perplexity’s Comet, the assault may even escalate to the AI assistant mechanically fetching and sending consumer information to an exterior handle.
Blended Response from Tech Giants
The Cato Networks menace analysis crew disclosed their findings to the affected firms beginning in July and August of 2025. Microsoft responded shortly, making use of a repair for Copilot for Edge on October 27. Perplexity additionally utilized a repair for his or her Comet browser by November 18, 2025.
Google, nonetheless, has not but resolved the problem for Gemini in Chrome. The report was marked by Google Abuse VRP / Belief & Security in October 2025 as “Gained’t Repair (Supposed Behaviour)” with a low severity score. It’s value noting that the problem remained unresolved on the time the analysis was printed.
The findings from Cato CTRL™ Menace Analysis, shared solely with Hackread.com, introduce a brand new class of AI safety danger as a result of malicious instructions are hidden in URL fragments, bypassing conventional firewalls. This discovery reminds the trade that, as AI assistants deal with delicate information, distributors should urgently repair flaws in AI design to stop future context manipulation assaults.
