Imagine innocently clicking a link, only to unleash a hidden scam that manipulates your AI browser – welcome to the shadowy world of 'HashJack' attacks! This isn't just tech jargon; it's a real threat that could trick even the smartest digital assistants into doing something sinister. But here's where it gets controversial: Are AI browsers really as trustworthy as we think, or are they just waiting for the next clever hacker to exploit them? Stick around, because this is the part most people miss – how a simple URL can turn your trusted tool into a liability.
'HashJack' Demo Conceals Harmful Commands Within Web Addresses
December 2, 2025
• 3 min read
Billy Hurley has been reporting for IT Brew since 2022, focusing on cybersecurity risks, advancements in artificial intelligence, and strategic IT approaches.
Think about web addresses – those URLs we click on every day. If someone tucks a sneaky message behind the '#' symbol, it might just lead to a fraudulent response from a cybercriminal. A recent demonstration from the IT security firm Cato Networks illustrates how embedding dangerous instructions after the hashtag in an extended, seemingly innocent URL can deceive an AI browser's large language model (LLM) into executing those orders. To make this clearer for beginners, a large language model is like the brain behind AI chatbots, processing and responding to text inputs. Prompt injection, in simple terms, is when someone slips in commands that override the AI's intended behavior, much like whispering a secret instruction that changes how it acts.
While Microsoft and Perplexity have reportedly patched the 'HashJack' flaw in their AI browsers after witnessing this method, fresh prompt injection techniques continue to emerge, posing risks to cutting-edge technologies such as these intelligent browsing tools.
“One of the biggest weaknesses in AI systems is prompt injection,” explained Vitaly Simonovich, a Senior Security Researcher at Cato, in an interview with IT Brew. He described it as a strategy where an attacker inserts text that dupes a large language model into carrying out harmful actions.
Here's how it operates – and this is the part most people miss, as it's deceptively simple yet powerful. Simonovich, who had earlier deceived LLMs using lengthy narratives, experimented with a long URL this time. The expert wove malicious directives right into the web address. When certain AI browsers equipped with chatbots access the page, the bot incorporates the URL as background information for a user's question. Concealed commands within the link are then fed to the LLM, and in several instances, the AI complied. Since these URL fragments remain confined to the browser, this approach could potentially slip past standard network-based security scans.
The Cato Networks blog showcased this vulnerability through multiple scenarios:
- A query to Google's Gemini about 'new services and benefits' triggered a callback phishing scam.
- A question about loans directed to Perplexity's AI helper Comet included hidden directives to transmit the user's financial details to a hacker-controlled site.
- An inquiry about 'new services' caused Microsoft's Copilot to present a fake 'verify your account now' login prompt.
To put this in perspective, picture asking your AI for help with online banking, only for it to unknowingly send your data to thieves – that's the everyday risk beginners might not realize.
Top Insights for IT Professionals
From cybersecurity and big data to cloud computing, IT Brew delivers the newest trends influencing business technology through our four-times-weekly newsletter, online seminars with sector leaders, and downloadable guides.
Even though Microsoft and Perplexity implemented remedies for these prompt injections, as detailed in Cato's post, Google's problem reportedly persists as of this writing. (Google declined to provide a comment to IT Brew before publication.)
Prompts aplenty – and here's where it gets controversial. Critics might argue that AI companies should prioritize security over rapid innovation, but others claim constant updates are necessary for progress. Researchers are uncovering new prompt injection methods quite frequently these days – a recent study even showed how a 'poetic' format in a query can compel an AI browser to malfunction.
“The LLMs are changing, much like websites and apps keep getting updates. There's always a fresh release out there. With each new iteration and technology comes novel weaknesses and creative human cleverness,” said prompt-injection expert Joey Melo to IT Brew in August.
Just one day after OpenAI unveiled its ChatGPT Atlas browser on October 21, the company's Chief Information Security Officer remarked on X that prompt injection represents “an emerging risk” under careful investigation and reduction.
“Our ultimate aim is for users to feel confident trusting a ChatGPT agent with their browser, similar to how you'd rely on your most skilled, reliable, and security-conscious colleague or buddy,” wrote Dane Stuckey at the time.
Top Insights for IT Professionals
From cybersecurity and big data to cloud computing, IT Brew delivers the newest trends influencing business technology through our four-times-weekly newsletter, online seminars with sector leaders, and downloadable guides.
So, what's your take? Do you think AI browsers are worth the risk, or should we demand stricter safeguards before trusting them with our data? Is prompt injection just a tech hiccup, or a sign that we're outpacing our ability to secure these tools? Share your thoughts in the comments – agree, disagree, or offer your own controversial counterpoint. Are we as a society too quick to adopt AI without fully grasping its vulnerabilities? Let's discuss!
