Tuesday 07 July 2026 05:02:54 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cyber Intelligence & Threat Trends

Invisible Hand on the Hash: How URL Fragments Are Turning AI Browsers Against Us

A new cyber exploit called HashJack weaponizes a hidden corner of the web to manipulate AI assistants, exposing millions to novel digital deception.

Fast Facts

  • HashJack hides malicious instructions in the “fragment” of a URL-everything after the # symbol.
  • AI-powered browsers like Perplexity’s Comet, Microsoft Copilot, and Google Gemini are vulnerable.
  • The exploit bypasses traditional security tools because URL fragments never reach web servers.
  • Attacks range from phishing links and fake support numbers to data theft and misinformation.
  • Patch responses from major vendors vary: Microsoft and Perplexity fixed it; Google has not.

The Exploit Hiding in Plain Sight

Picture the web as a vast library, each website a trustworthy book. HashJack is like a mischievous librarian scribbling secret instructions in invisible ink-only visible to the AI assistants that now help millions navigate the stacks. The trick? Hiding commands in the URL fragment, the part after the # sign that browsers usually ignore and servers never see.

This overlooked fragment has become a back door. When users visit a legitimate site with a tainted URL and activate their AI helper, the assistant reads the entire address-including the hidden fragment. If that fragment contains instructions, the AI can be duped into following them as if they came from the trusted site itself.

How HashJack Outwits Defenses

Traditionally, security systems like firewalls and intrusion detection watch what flows to and from web servers. But because fragments never leave your browser, they’re invisible to these sentinels. The exploit works in five steps: a crafted link, user visit, AI assistant activation, fragment injection into the prompt, and execution-such as inserting phishing links or leaking personal data.

Agentic browsers like Perplexity’s Comet can even act on these instructions, scraping details and sending them to attackers. Others, like Copilot and Gemini, might display fake links or misinformation, though some browser safeguards may blunt the worst effects.

From Subtle Prank to Serious Threat

The HashJack technique is an evolution of “prompt injection”-a growing problem as AI helpers become common. In the past, attackers slipped malicious prompts directly into conversations. Now, with indirect prompt injection, they hide commands in places AI models automatically read, like URLs or metadata.

Researchers at Cato CTRL demonstrated real-world risks: attackers can inject fake customer support numbers, steal data during loan applications, or even push bogus medical advice. This is reminiscent of earlier attacks using metadata or document comments to trick AI, but HashJack is more insidious: it weaponizes the very trust we place in familiar websites and AI assistants.

Major tech players have scrambled to respond. Microsoft and Perplexity patched their assistants, but Google currently sees this as “intended behavior,” leaving millions potentially exposed. With Edge and Comet serving hundreds of millions, the stakes are high-not just for individuals, but for the companies racing to dominate the AI browser market. The exploit also highlights a broader geopolitical concern: as AI becomes central to digital infrastructure, even obscure technical quirks can ripple out as major security threats.

HashJack is a wake-up call: in the age of AI, even the smallest overlooked detail-like a fragment of a URL-can be a loaded weapon. As AI browsers become our digital guides, vigilance and smarter safeguards are more urgent than ever.

WIKICROOK

  • URL Fragment: A URL fragment is the section of a web address after the '#' symbol, used for navigating to specific parts within a web page.
  • Prompt Injection: Prompt injection is when attackers feed harmful input to an AI, causing it to act in unintended or dangerous ways, often bypassing normal safeguards.
  • Agentic Browser: An agentic browser uses AI to autonomously perform online tasks and make decisions for users, streamlining web interactions and boosting productivity.
  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • Intrusion Detection System (IDS): An Intrusion Detection System (IDS) monitors network traffic for suspicious or malicious activity, alerting administrators to potential security threats.