HashJack Attack: How Hackers Use the ‘#’ Symbol to Control Your AI Browser

A new cyberattack shows how easily AI browsers can be tricked. Cato Networks has found a technique called “HashJack.” It hides malicious instructions after the “#” symbol in a normal website URL. This simple HashJack attack can fool AI browser assistants into following harmful commands. At the same time, it bypasses traditional security tools that protect networks and servers.

The attack takes advantage of a growing problem called prompt injection. This happens when text that the user never wrote becomes a command for an AI system. It can happen directly, when a command is typed into a prompt, or indirectly, when hidden instructions are placed inside content such as a webpage or a PDF. AI browsers are especially weak to indirect prompt injections because they try too hard to be helpful. They guess the user’s intent and perform tasks automatically.

HashJack Attack: How Hackers Use the ‘#’ Symbol to Control Your AI Browser

Cato Networks says HashJack is the first attack that can turn any legitimate website into a weapon against AI browser assistants. It works by adding a “#” at the end of a regular link. This symbol creates a URL fragment. Normally, fragments are harmless and do not change where the link goes. But when attackers add commands after the “#,” AI browser assistants still read them. Since fragments never leave the browser, security systems outside the browser cannot detect them.

When the AI assistant reads the hidden fragment, it may carry out dangerous actions. These can include stealing data, sending it to attackers, creating phishing messages, spreading misinformation, or giving harmful medical advice like incorrect treatment steps or medication doses.

Vitaly Simonovich, a researcher at Cato Networks, said the attack is dangerous because it uses trusted websites. Users see a safe link. They trust their browser. And they trust the AI assistant’s answers. This gives attackers a much higher chance of success than traditional phishing scams.

During tests, Cato found that some AI browsers, like Comet, could be pushed into sending user data to servers controlled by attackers. Even more limited assistants could still be manipulated into showing wrong information or guiding users to dangerous websites. This is different from direct prompt attacks because users think they are simply browsing safely.

See Also: Cybercriminals Replace ‘m’ with ‘rn’ to Fool Microsoft Users

Cato reported the issue to major companies earlier this year. Google and Microsoft were notified in August. Perplexity AI was contacted in July. Google said the behavior was expected and marked the issue as low severity. Perplexity and Microsoft, however, applied fixes to their AI browsers.

Microsoft said it treats every new form of prompt injection as a unique threat. It also said it will continue improving its security to protect users as attacks evolve.

Cato warns that traditional tools like network logs and server-side filters are no longer enough. It recommends several layers of defense. These include blocking suspicious URL fragments, limiting which AI assistants can run, and monitoring the browser environment directly.

As AI browsers move closer to mainstream use, HashJack is a reminder that threats are changing. Attacks no longer need risky websites or obvious scams. Now, danger can hide inside everyday browsing—after nothing more than a simple “#” at the end of a link.