Recent research has revealed that many AI browsers may be at risk from a novel hacking method that exploits hidden text in URLs. Experts say the technique, called “HashJack,” allows attackers to insert commands after a hashtag in an otherwise legitimate link, which the browser assistant processes without alerting users or servers.
How the HashJack technique works
Cato Networks’ study demonstrated that HashJack lets malicious instructions remain hidden in the browser. The assistant interprets the text locally, meaning it does not transmit the instructions to the server. Users continue to see a normal web page while the browser quietly executes the commands.
Tests revealed that certain AI assistants could autonomously take action after encountering these fragments, including sending data to external locations controlled by attackers. Others generated misleading guidance or promoted links that appeared to be from trusted sources, creating the impression of a normal session while altering the information presented to the user. The page displayed in the browser remained unchanged, making the intrusion difficult to detect without close monitoring of the assistant’s behaviour.
Industry response and challenges
Major technology firms have been notified of the vulnerability, but responses have varied. Some companies issued updates to their AI browser features, while others considered the behaviour to be expected under existing design logic.
Defending against this type of indirect prompt manipulation depends on how each AI assistant interprets hidden instructions on a page. Traditional traffic inspection tools only monitor URL fragments that leave the device. Because HashJack fragments are processed locally, conventional security measures offer limited protection. Experts say defenders must look beyond network-level monitoring and examine how AI assistants integrate with browsers, with particular attention to local behaviour invisible to users.
Stronger protection requires stricter endpoint security and tighter firewall rules, though these measures do not fully address the visibility gap. HashJack highlights a vulnerability unique to AI-assisted browsing, where even legitimate websites can be weaponised without leaving conventional traces. Awareness of these limitations is essential for organisations deploying AI tools, as traditional monitoring methods cannot fully capture such threats.
Tips for staying safe online
Experts recommend limiting the personal information shared online and monitoring financial accounts for unusual activity. Using unique, complex passwords and verifying URLs before logging in can reduce the risk of attacks. Users should also exercise caution with unsolicited messages or calls claiming to be from financial institutions and ensure antivirus software and firewalls are enabled. Identity theft protection services can help monitor sensitive information, though experts stress that even sophisticated measures cannot eliminate the risk from AI-driven attacks and phishing campaigns. Consistent implementation across all devices and networks remains key to maintaining security.
HashJack serves as a reminder that, while convenient, AI browsers introduce new cybersecurity risks that require careful oversight.
