On November 25, 2025, cybersecurity firm Cato Networks revealed HashJack, a new threat where the simple pound sign (#) in a web address (URL) hides malicious instructions for AI browser assistants like Google’s Gemini, Microsoft’s Copilot, and Perplexity’s Comet.
The Vulnerability
HashJack is the first of its kind example of an indirect prompt injection technique, where an attacker hides commands in content the AI will read later, in this case, the URL itself. This allows HashJack to exploit how AI assistants read the full URL, including the section after the # (the URL fragment), which web servers normally ignore.
This allows bad actors to weaponise any legitimate website without hacking the site itself. As Cato Networks’ senior security researcher Vitaly Simonovich explains, the weakness is in the AI assistant’s handling of the URL. Since users trust the legitimate site, they trust the AI’s manipulated advice.
The hidden commands can lead to a variety of malicious actions, including tricking users into revealing their login details (credential theft) and even giving false health-related advice (medical harm). More concerning is that, in advanced agentic modes (where the AI performs tasks automatically), the assistant can be instructed to steal sensitive user data (data exfiltration) by fetching an attacker’s URL in the background.
Furthermore, the AI can be guided to give step-by-step instructions for risky technical tasks, such as opening system ports or downloading a package that is actually malware. Researchers also noted that in some advanced AI browsers, like Perplexity’s Comet, the attack can even escalate to the AI assistant automatically fetching and sending user data to an external address.
Mixed Response from Tech Giants
The Cato Networks threat research team disclosed their findings to the affected companies starting in July and August of 2025. Microsoft responded quickly, applying a fix for Copilot for Edge on October 27. Perplexity also applied a fix for their Comet browser by November 18, 2025.
Google, however, has not yet resolved the issue for Gemini in Chrome. The report was marked by Google Abuse VRP / Trust & Safety in October 2025 as “Won’t Fix (Intended Behaviour)” with a low severity rating. It is worth noting that the issue remained unresolved at the time the research was published.
The findings from Cato CTRL™ Threat Research, shared exclusively with Hackread.com, introduce a new class of AI security risk because malicious commands are hidden in URL fragments, bypassing traditional firewalls. This discovery reminds the industry that, as AI assistants handle sensitive data, vendors must urgently fix flaws in AI design to prevent future context manipulation attacks.
