- Hidden URL fragments allow attackers to manipulate AI assistants without the user’s knowledge
- Some AI assistants automatically send sensitive data to remote endpoints
- Misleading instructions and fake links may appear on otherwise normal websites.
Many browsers’ AIs are coming under scrutiny after researchers revealed how a simple snippet of a URL can be used to influence navigation assistants.
New search for Cato network discovered that “HashJack” technology allows malicious commands to remain undetected by following a hashtag on a legitimate link, creating a path for hidden commands that remain invisible to traditional monitoring tools.
The wizard handles hidden text locally, meaning the server never receives it and the user continues to see a normal page while the browser follows instructions he or she never wrote.
Helper behavior during fragment processing.
Tests have shown that some assistants perform autonomous actions when exposed to these fragments, including actions that transmit data to remote locations controlled by an attacker.
Others provide misleading instructions or promote links that imitate trusted sources, give the appearance of a normal session, and change the information provided to the user.
The browser continues to display the correct website, making it difficult to detect the breach without careful inspection of the wizard’s responses.
Big tech companies are aware of the problem, but their responses vary widely.
Some vendors have provided updates to AI browser features, while others have evaluated expected behavior based on existing design logic.
The companies said protection against indirect suggestion manipulation depends on how each AI assistant reads the instructions on hidden pages.
Common traffic inspection tools can only detect URL fragments leaving the device.
Therefore, traditional security measures provide limited protection in this scenario because the URL fragments never leave the device for inspection.
This requires defenders to go beyond network-level inspection and examine how AI tools are integrated into the browser itself.
Better monitoring requires paying attention to local behavior, including how assistants interact with hidden contexts that are invisible to users.
Organizations must adopt stricter firewall and endpoint protection policies, but these are only one layer and cannot close the visibility gap.
The HashJack method highlights a unique vulnerability in AI-powered browsing that can weaponize legitimate websites without leaving traditional traces.
It is important that companies using AI tools are aware of this limitation, as traditional monitoring and response measures cannot fully capture these threats.
How to stay safe
- Limit sharing of personal information online.
- Check financial accounts for unusual activity.
- Use unique, strong passwords for all accounts.
- Check URLs before connecting to websites.
- Be wary of unsolicited messages or phone calls that appear to be from financial institutions.
- Use antivirus software to protect your devices from malware.
- Enable firewalls to block unauthorized access.
- Use Identity Theft Protection to control your personal information.
- Keep in mind that advanced phishing campaigns and AI-based attacks always carry risks.
- Efficiency depends on consistent deployment across devices and networks.