HashJack Attack Hijacks AI Browsers and Assistants
▼ Summary
– Security researchers discovered HashJack, a technique that forces AI browsers and assistants to deliver phishing links, disinformation, or send sensitive data to attackers.
– HashJack works by hiding malicious instructions in the #fragment of a URL, which can be shared via email, social media, or embedded on webpages.
– The attack was tested on various AI browsers and assistants, with successful exploitation on Perplexity’s Comet, Microsoft’s Copilot for Edge, and Google’s Gemini for Chrome.
– Microsoft and Perplexity implemented fixes after disclosure, but Google classified HashJack as intended behavior and only addressed a low-severity bug.
– Claude for Chrome was immune to HashJack due to its different architecture, and widespread exploitation is unlikely due to the multi-step process required.
Security researchers have identified a sophisticated manipulation method targeting AI-powered browsing tools, where attackers embed malicious commands within the harmless-looking fragment section of a web address. This technique, named HashJack, exploits the way AI assistants process webpage content, potentially leading them to insert dangerous links, share confidential user information, or promote harmful actions disguised as helpful advice.
By distributing these specially crafted URLs through emails, social posts, or compromised sites, threat actors can trigger the AI to execute hidden instructions the moment a user asks a question. The AI then integrates these commands into its reply, which might involve adding a deceptive hyperlink, suggesting incorrect procedural steps, or silently transmitting data to an external server. Even cautious individuals who inspect links may miss the threat, as the harmful code is often concealed to avoid detection.
The effectiveness of HashJack varies significantly across different platforms. During testing, it successfully manipulated Perplexity’s Comet browser, Microsoft’s Copilot for Edge, and Google’s Gemini for Chrome. However, Claude for Chrome and OpenAI’s Atlas remained unaffected. According to senior security researcher Vitaly Simonovich, AI browsers and their integrated assistants possess broad access to page contents to function properly, but this very capability introduces risk. Any unverified context passed between the AI browser and its assistant can become a potential threat vector, he emphasized. In more advanced agentic systems, the danger escalates, these tools might automatically harvest and send user-inputted data directly to servers controlled by attackers.
Following responsible disclosure by the researchers, both Perplexity and Microsoft have rolled out patches. The fixes are included in specific updated versions of their software. Google, however, categorized the issue differently. The company described HashJack’s effects as a form of social engineering rather than a technical security flaw, acknowledging only a minor bug related to search redirects. Simonovich noted that Claude for Chrome was inherently protected because its architecture does not permit direct access to the URL fragment where the malicious code is hidden.
Fortunately, widespread abuse of this technique is considered unlikely. The attack requires multiple steps and depends on users actively engaging with their AI assistant after visiting the compromised page, rather than just clicking a link. These operational hurdles reduce its immediate exploitability. Still, researchers continue to advocate for stronger built-in defenses across all AI browsing platforms to prevent similar manipulation strategies in the future.
(Source: HelpNet Security)
