On November 25, 2025, cybersecurity agency Cato Networks revealed HashJack, a brand new risk the place the easy pound signal (#) in an online tackle (URL) hides malicious directions for AI browser assistants like Google’s Gemini, Microsoft’s Copilot, and Perplexity’s Comet.
The Vulnerability
HashJack is the primary of its sort instance of an oblique immediate injection approach, the place an attacker hides instructions in content material the AI will learn later, on this case, the URL itself. This enables HashJack to use how AI assistants learn the total URL, together with the part after the # (the URL fragment), which net servers usually ignore.
This enables dangerous actors to weaponise any reputable web site with out hacking the positioning itself. As Cato Networks’ senior safety researcher Vitaly Simonovich explains, the weak point is within the AI assistant’s dealing with of the URL. Since customers belief the reputable web site, they belief the AI’s manipulated recommendation.
The hidden instructions can result in a wide range of malicious actions, together with tricking customers into revealing their login particulars (credential theft) and even giving false health-related recommendation (medical hurt). Extra regarding is that, in superior agentic modes (the place the AI performs duties routinely), the assistant will be instructed to steal delicate consumer information (information exfiltration) by fetching an attacker’s URL within the background.
Moreover, the AI will be guided to offer step-by-step directions for dangerous technical duties, corresponding to opening system ports or downloading a package deal that’s really malware. Researchers additionally famous that in some superior AI browsers, like Perplexity’s Comet, the assault may even escalate to the AI assistant routinely fetching and sending consumer information to an exterior tackle.
Combined Response from Tech Giants
The Cato Networks risk analysis staff disclosed their findings to the affected corporations beginning in July and August of 2025. Microsoft responded shortly, making use of a repair for Copilot for Edge on October 27. Perplexity additionally utilized a repair for his or her Comet browser by November 18, 2025.
Google, nevertheless, has not but resolved the problem for Gemini in Chrome. The report was marked by Google Abuse VRP / Belief & Security in October 2025 as “Received’t Repair (Supposed Behaviour)” with a low severity score. It’s price noting that the problem remained unresolved on the time the analysis was revealed.
The findings from Cato CTRL™ Risk Analysis, shared completely with Hackread.com, introduce a brand new class of AI safety threat as a result of malicious instructions are hidden in URL fragments, bypassing conventional firewalls. This discovery reminds the business that, as AI assistants deal with delicate information, distributors should urgently repair flaws in AI design to stop future context manipulation assaults.
