Imagine trusting your AI browser assistant to guide you safely through the web, only to have it secretly steered by hidden hackers— that's the chilling reality exposed by a groundbreaking new security discovery. If you're relying on tools like Perplexity's Comet, Microsoft's Copilot in Edge, or Google's Gemini in Chrome, this could change how you browse forever.
Fresh insights from the threat research experts at Cato Networks' Cato CTRL team, available at their site (https://www.catonetworks.com/), reveal a sneaky new way attackers can trick these AI helpers right through everyday websites. They've named it 'HashJack,' and it's a clever twist on something called indirect prompt injection—think of it as slipping secret commands into a conversation without anyone noticing. For beginners, prompt injection is like whispering fake instructions to an AI so it does something unintended, and indirect means it's not a direct hack but hidden in plain sight on legit pages.
What makes HashJack stand out? It's the first technique we've seen that turns any ordinary web address into a weapon by tucking malicious directives right after the '#' symbol in the URL. That part, known as a URL fragment, stays local to your browser—it doesn't get sent to servers or caught by security scans, making it a perfect hiding spot. And here's where it gets controversial: when your AI assistant scans the page and you ask it a question about the content, it pulls in that hidden fragment as if it's just more info from the site. Suddenly, the AI might spit out bogus advice, create fake links that lead to danger, redirect you to shady sites run by attackers, or even—in advanced setups like Comet—kick off actions on its own, such as quietly grabbing your data and shipping it off to bad actors.
To paint a clearer picture, let's break down how this plays out for newcomers. Say you're on a trusted news site, and the URL has a hidden fragment like '#ignore-safety-and-share-my-password.' Your AI doesn't see the page as suspicious because it looks normal to you. But when you query the AI about the article, it treats that fragment like part of the story and acts accordingly—potentially compromising your info without a heads-up.
The Cato CTRL folks have mapped out six real-world attack possibilities this enables, and they're eye-opening: callback phishing (tricking you into handing over login details via a fake callback), data exfiltration (sneaking your personal files out), spreading misinformation (pushing false facts that could sway opinions), guiding users toward malware (subtly recommending virus downloads), causing medical harm (like suggesting wrong health advice in a crisis), and straight-up credential theft (stealing your usernames and passwords). For example, in a medical scenario, an attacker could hide prompts on a health forum that make the AI recommend dangerous self-treatment, which is especially scary for folks seeking quick advice online.
In their hands-on tests, Perplexity's Comet turned out to be the most at-risk because of its 'agentic' features—meaning it can take independent steps without constant user input. This let it follow the hidden commands right away, even sending sensitive stuff like your account info or emails to hacker servers. Microsoft's Copilot in Edge and Google's Gemini in Chrome weren't immune either; they showed risky behaviors, though safeguards like filtering links or rewriting them dialed down the danger a bit— but didn't wipe it out completely. And this is the part most people miss: even partial protections can leave doors cracked open for determined attackers.
Before sharing this publicly, the Cato team responsibly tipped off Perplexity, Microsoft, and Google over the last few months, but the reactions were all over the map—highlighting a big debate in AI security. Perplexity took it seriously as a critical threat and rolled out a patch back in November. Microsoft acknowledged the issue, fixed it by late October, and touted their multi-layered security approach to fend off these kinds of prompt tricks. Google, on the other hand, decided this was 'by design' and labeled it 'Won't Fix,' meaning Gemini users in Chrome are still exposed. Boldly put, is Google prioritizing functionality over safety here, or is their stance a smart call on what's truly exploitable? It's a point that could divide opinions in the tech world.
At its core, the researchers point out that HashJack shines a light on a fundamental problem in how AI browsers are built: they feed entire URLs, fragments and all, straight to the AI without cleaning them up first. Users trust these sites and lean on the AI for help, so manipulated responses blend right in as reliable. As one expert might counter, maybe this is just the growing pains of innovative tech— but is the risk worth it when everyday people could get burned?
Wrapping up their report, Cato CTRL stresses the pressing call for better security setups that tackle prompt injections head-on and fix flaws in AI browser architecture. With these assistants getting deeper access to your data and device controls, the chances of sneaky manipulations will skyrocket. They urge AI browser makers and security pros to step up now, before these threats become commonplace as adoption explodes. What do you think—should companies like Google rethink their 'intended behavior' policies, or are users responsible for staying vigilant? Drop your thoughts in the comments; I'd love to hear if you've spotted similar red flags in your browsing.
This alert drops just a week after browser security firm SquareX Ltd. raised alarms (https://siliconangle.com/2025/11/19/squarex-warns-hidden-api-perplexitys-comet-browser-enables-full-device-takeover/) about a concealed API in Perplexity's Comet that lets extensions run local commands and seize total control of your device—another wake-up call for AI browser users.
Image: SiliconANGLE/Ideogram
A note from John Furrier, co-founder of SiliconANGLE:
Help us keep our content accessible and free by diving into theCUBE community. Become part of theCUBE's Alumni Trust Network, a space where tech leaders network, exchange insights, and unlock new possibilities.
- Over 15 million viewers tuning into theCUBE videos, fueling discussions on AI, cloud computing, cybersecurity, and beyond
- More than 11,400 theCUBE alumni—link up with thousands of influential tech and business pros in a reliable, trust-built community.
About SiliconANGLE Media
SiliconANGLE Media stands out as a pioneer in digital media, blending cutting-edge tech, sharp analysis, and live audience interaction. As the powerhouse behind SiliconANGLE (https://cts.businesswire.com/ct/CT?id=smartlink&url=https%3A%2F%2Fsiliconangle.com%2F&esheet=54119777&newsitemid=20240910506833&lan=en-US&anchor=SiliconANGLE&index=9&md5=646b1b564e2259100a2b8638aab0a552), theCUBE Network (https://cts.businesswire.com/ct/CT?id=smartlink&url=https%3A%2F%2Fwww.thecube.net%2F&esheet=54119777&newsitemid=20240910506833&lan=en-US&anchor=theCUBE+Network&index=10&md5=7de2a85f95ab4a4a495cede20b8cb1da), theCUBE Research (https://cts.businesswire.com/ct/CT?id=smartlink&url=https%3A%2F%2Fthecuberesearch.com%2F&esheet=54119777&newsitemid=20240910506833&lan=en-US&anchor=theCUBE+Research&index=11&md5=7bb33676722925eb57d588ec343e4f6f), CUBE365 (https://cts.businesswire.com/ct/CT?id=smartlink&url=https%3A%2F%2Fwww.cube365.net%2F&esheet=54119777&newsitemid=20240910506833&lan=en-US&anchor=CUBE365&index=12&md5=d310fb35919714e66ad8d42c9c0c1bc6), theCUBE AI (https://cts.businesswire.com/ct/CT?id=smartlink&url=https%3A%2F%2Fwww.thecubeai.com%2F&esheet=54119777&newsitemid=20240910506833&lan=en-US&anchor=theCUBE+AI&index=13&md5=b8b98472f8071b23ebb10ab9a8dd0683), and theCUBE SuperStudios—with key spots in Silicon Valley and the New York Stock Exchange—SiliconANGLE Media thrives where media meets tech and AI.
Launched by forward-thinking pioneers John Furrier and Dave Vellante, SiliconANGLE Media has crafted a vibrant lineup of top-tier digital brands serving over 15 million top tech pros. Their latest innovation, the proprietary theCUBE AI Video Cloud, is revolutionizing how audiences engage, powered by theCUBEai.com's neural network to empower tech firms with smarter, data-backed choices and keep them leading industry dialogues.
