HashJack Attack: AI Browsers Fooled by #URL Hijinks in Security Nightmare

HashJack is the latest buzz in the cybersecurity world—a sneaky attack that hides commands after the “#” in URLs, tricking AI browser assistants. It’s like AI’s version of “I didn’t see that coming!” Just when you thought URLs couldn’t get any more exciting, they start moonlighting as attack vectors!

3P
Published: November 25, 2025 6:03 pmAdded: November 25, 2025 at 10:33 amAssembled by: The Editor
Pro Dashboard

Hot Take:

It seems AI browser assistants have found a new game of hide and seek with HashJack, hiding malicious prompts right under our noses, or rather, right after the ‘#’. Who knew URLs could become the next great escape room for hackers?

Key Points:

  • HashJack is a newly discovered attack exploiting AI browser assistants by hiding malicious commands in URL fragments.
  • The attack targets AI browsers like Copilot in Edge, Gemini in Chrome, and Comet from Perplexity AI.
  • Because fragments in URLs never leave the AI browser, traditional defenses can’t detect these malicious instructions.
  • Cato Networks alerted major tech companies, with varying responses from Google, Microsoft, and Perplexity AI.
  • The attack highlights the need for new security measures beyond typical network and server-side defenses.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?