AI browsers can be tricked with malicious prompts hidden in URL fragments

More

• Awards
• Blogs
• BrandPosts
• Events
• Podcasts
• Videos
• Enterprise Buyer’s Guides

Researchers discovered that adding instructions for AI-powered browser assistants after the hash (#) symbol inside URLs can influence their behavior to leak sensitive data and direct users to phishing pages or malware.



Credit: janews / Shutterstock

Researchers have demonstrated another indirect prompt injection attack against AI-powered browsers and browser assistants that could lead to phishing, sensitive data exfiltration, credential theft, or malware downloads. The attack, dubbed HashJack, relies on rogue prompts added to URLs after the hash (#) symbol, also known as a named anchor or URL fragment.

“HashJack is the first known indirect prompt injection that can weaponize any legitimate website to manipulate AI browser assistants,” researchers from Cato Networks said in the report. “As a result, AI browsers — including Comet (Perplexity), Copilot for Edge (Microsoft), and Gemini for Chrome (Google) — can be used to enable a wide range of malicious attacks.”

A client-side attack

The # character inside a URL has multiple uses: The portion after it tells the browser to jump to a specific section of the loaded page; it can tell JavaScript code on the page what to display in an in-page dynamic navigation scenario; or it can be used to save state information about the user interface, such as user-selected options.

One important aspect is that URL fragment data is never sent to the web server or over the network. It’s only meant for the browser or the code already loaded on the client side. And it turns out that since AI browser assistants are designed to analyze the currently open website for context, they also read the URL fragments passed after #, and these can hide malicious prompts.

The client-side nature of this attack means traditional network defenses, such as IPS/IDS and network firewalls, can’t detect it. Server logs don’t capture the portion of URLs after # because it’s never sent to the server, and browser defenses like Content Security Policy (CSP) don’t trigger because nothing on the actual web page is changed.

Tricking users into clicking poisoned links

HashJack is essentially a social engineering attack because it relies on tricking users to click on specially crafted URLs inside emails, chats, websites, or documents. However, this attack can be highly credible because it points to legitimate websites.

For example, imagine a spoofed email that claims to be from a bank advising customers about suspicious activity in their accounts. Hovering over the link included in the email shows that it points to the bank’s real website, HTTPS and everything, but it’s a long link and somewhere in it there’s the # character followed by a prompt for the AI assistant.

Many users are likely to trust such a message since it points to the real bank’s website and because long links with a lot of parameters and paths in them are not unusual. But the prompt that follows the # symbol will cause the AI browser assistant to provide attacker-altered instructions to the user, such as calling an attacker-controlled phone number or WhatsApp link for further customer support about the supposed situation.

In another scenario, a prompt included in the link can tell an AI browser that acts like an agent — for example, Perplexity’s Comet — to take information about the user’s account, transaction history, phone number, and so on from the opened bank site and append it as parameters in a request to the attacker’s server.

Other attacks could involve the prompt causing the AI assistant to display fake information that would mislead the user: fake investment advice promoting a certain stock, fabricated news, dangerous medical advice like wrong doses for medicine, malicious instructions that could open a backdoor on the computer, instructions to re-authenticate that include a link to a phishing site, a link to download malware, and so on.

URL fragments cannot modify page content. They are only used for in-page navigation using the code that’s already there, so they are normally harmless. However, it now turns out that they can be used to modify the output of in-browser AI assistants or agentic browsers, which gives them an entirely new risk profile.

“This discovery is especially dangerous because it weaponizes legitimate websites through their URLs,” the researchers said. “Users see a trusted site, trust their AI browser, and in turn trust the AI assistant’s output-making the likelihood of success far higher than with traditional phishing.”

Different behavior across AI assistantsThe impact was different between the tested AI assistants and across the various scenarios. For example, while prompt injections managed to influence the text output on all the products tested, injecting malicious links proved harder on Gemini Assistant for Chrome, where some links were rewritten as search URLs, and on Edge with Microsoft Copilot, which prompted for additional confirmation when clicking on links in messages.

Perplexity’s Comet, which is an agentic browser that does more than a built-in AI assistant, was the most susceptible one because it also could fetch attacker URLs in the background, with context information attached as parameters.

Microsoft and Perplexity deployed fixes, but Google did not consider the HashJack technique a vulnerability because it views this as part of intended behavior. It’s worth noting that Cato also tested Claude for Chrome and OpenAI’s Operator browser, but the HashJack technique didn’t work on them.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.



Lucian Constantin writes about information security, privacy, and data protection for CSO. Before joining CSO in 2019, Lucian was a freelance writer for VICE Motherboard, Security Boulevard, Forbes, and The New Stack. Earlier in his career, he was an information security correspondent for the IDG News Service and Information security news editor for Softpedia.




Before he became a journalist, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. He lives and works in Romania.




You can reach him at lucian_constantin@foundryco.com or @lconstantin on X. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

More from this author