Two significant current security concerns involve web browser vulnerabilities and AI-related threats. So, when security researchers issue a warning about something that combines both in one handy attack scenario, it’s time for your ears to prick up. HashJack is the latest hacking technique that, the researchers said, can enable attackers to do everything from spread misinformation to steal your credentials. Here’s what you need to know.
The AI HashJack Attack Explained
AI prompt injection attacks are nothing new; they are as old as generative AI services themselves. Google has developed many resources and tools to fight just such prompt-injection risks as they apply to Gemini. Cybercriminals, however, continue to find ways around the protections put in place to prevent the use of malicious prompts in all use-case scenarios. There are even systems, such as GhostGPT, that cybercriminals have flocked to for the purposes of creating malware and phishing scam messaging alike.
Now security researchers from the Cato CTRL Threat Research team at Cato Networks have confirmed the latest addition to the AI-hacker toolset: HashJack.
“HashJack is a newly discovered indirect prompt injection technique that conceals malicious instructions after the # in legitimate URLs,” Vitaly Simonovich, a senior security researcher with Cato CTRL, said. “When AI browsers send the full URL, including the fragment, to their AI assistants,” Simonovich warned, “those hidden prompts get executed.” This is actually as nasty as it sounds, because by so doing it can enable a variety of malicious and criminal behaviors.
AI HashJack Attack Scenarios
The ability of HashJack to effectively weaponize ordinary websites is, as far as I am aware, unique so far in such threat types. The web servers are none the wiser that everything after the # symbol in an otherwise entirely legitimate URL gets processed by AI browsers, and not ordinary ones, to facilitate the prompt injection attack with complete stealth.
The Cato report has explored a total of six potential HashJack attack scenarios, namely: callback phishing, data exfiltration, misinformation, malware guidance, medical harm, and credential theft.
Callback phishing involves an attacker using the hidden prompts to direct the browser to “add security or support links that point to threat actor resources, including phone numbers and WhatsApp groups that look official,” Simonovich said.
Data exfiltration involves using the hidden fragment to tell an agentic browser to go fetch a threat actor URL and “append user context such as account name, account number, transaction history, profile email, and phone number as parameters,” Simonovich said.
Credential theft involves the embedding of “convincing security steps or re-login instructions in URL fragments that instruct the AI browser assistant to insert a threat actor-controlled login link into responses.”
Simonovich has posted a timeline of reporting and remediation for the AI HashJack attack vulnerability, showing Google Gemini as yet unresolved, Microsoft CoPilot for Edge fixed on October 27, and Perplexity (Comet) fixed on November 18. I have reached out to Google for further clarification.
