HashJack Indirect Prompt Injection Weaponizes Websites (www.infosecurity-magazine.com)

Security researchers at Cato Networks disclosed "HashJack," a new indirect prompt‑injection technique that hides malicious instructions in the URL fragment (the text after “#”) of otherwise legitimate pages. Because fragment identifiers are processed client‑side and never sent to web servers, AI‑powered browsers and assistants (Cato flagged Comet, Copilot for Edge and Gemini for Chrome) can parse and obey these hidden prompts even though network/server defenses and IDS see nothing malicious. A victim who clicks a normal link sees a benign page, but if they later query an AI browser about that page the embedded fragment can trigger hidden instructions. HashJack is notable because it weaponizes any site without compromising the host and circumvents traditional detection tools. Cato outlines concrete abuse cases: injecting phishing/support links that point to attacker channels, instructing agentic assistants to fetch attacker URLs and merge user context for data exfiltration, seeding misinformation into responses, initiating harmful actions (open ports, download malicious packages), or inserting attacker-controlled login links for credential theft. Perplexity and Microsoft patched Comet and Copilot for Edge as of Nov 25; Gemini for Chrome remained vulnerable, while Claude for Chrome and OpenAI’s Atlas were not affected. The incident underscores an urgent need in the AI/ML community for stricter input provenance, treating URL fragments as untrusted, limiting agentic web fetches and side effects, and updating browser/assistant designs to strip or validate fragments before feeding them to LLMs.