Full Report
Hashtag-do-whatever-I-tell-you Cato Networks says it has discovered a new attack, dubbed "HashJack," that hides malicious prompts after the "#" in legitimate URLs, tricking AI browser assistants into executing them while dodging traditional network and server-side defenses.…
Analysis Summary
# Tool/Technique: HashJack
## Overview
HashJack is a novel attack technique discovered by Cato Networks that exploits logic flaws in AI Browser Assistants by embedding malicious instructions directly into the fragment identifier (the part of a URL following a `#` symbol). This technique constitutes an **indirect prompt injection** attack vector, weaponizing otherwise legitimate URLs to influence the AI assistant's execution flow or output without traversing network defenses.
## Technical Details
- Type: Technique (Indirect Prompt Injection via URL Fragment)
- Platform: AI Browser Assistants (e.g., Copilot in Edge, Gemini in Chrome, Comet, and others capable of processing URL fragments for LLM context).
- Capabilities: Bypasses traditional network and server-side security controls; manipulates AI assistant actions; weaponizes trusted websites.
- First Seen: July/August 2025 (when reported to Perplexity/Google/Microsoft).
## MITRE ATT&CK Mapping
Since HashJack is a novel technique exploiting LLM functionality, direct, precise mappings are emerging. Based on the objective of manipulating user interaction and system response through unexpected context:
- **TA0001 - Initial Access** (Conceptual overlap, using the URL as the delivery mechanism)
- **T1566 - Phishing** / **T1566.001 - Spearphishing Attachment** (Conceptual link to manipulating user trust via seemingly safe content/links)
- **TA0002 - Execution** (The malicious instructions are executed by the LLM)
- **T1608.002 - Execution through LLM Input** (Hypothetical mapping for LLM-specific execution context)
- **TA0011 - Command and Control** (If outbound communication is achieved)
- **T1071 - Application Layer Protocol** (If the injection prompts data exfiltration via HTTP/S)
## Functionality
### Core Capabilities
* **URL Fragment Weaponization:** Appends malicious commands after the `#` in a legitimate URL.
* **Indirect Injection:** The malicious instruction is part of the content (the URL) the AI assistant is processing, rather than being typed directly by the user.
* **Evasion of Traditional Defenses:** Because URL fragments remain client-side and do not typically trigger network inspection or server-side filtering, the payload is hidden from conventional network security tools.
### Advanced Features
* **AI Manipulation:** Can force AI assistants to execute actions like data exfiltration, disseminate misinformation, deliver malicious links, or provide harmful guidance (e.g., incorrect medical advice).
* **Agent Interaction:** Capable of commanding agent-capable AI browsers (like Comet) to interact with endpoints, potentially leading to data theft.
* **Trust Exploitation:** Leverages the user's implicit trust in both the displayed legitimate website and the output of their integrated AI assistant.
## Indicators of Compromise
- File Hashes: N/A (The technique relies on URL structure, not static files delivered via traditional means).
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The attack itself does not require external C2 traffic to initiate, but successful execution can lead to:
- Outbound communication attempts initiated by the agent (e.g., data exfiltration to attacker-controlled endpoints disguised as legitimate browser API calls).
- Behavioral Indicators: Abnormal actions taken by the AI assistant immediately following the processing of a URL containing a `#` fragment, such as initiating unauthorized data transfers or presenting deceptive content contrary to the loaded webpage.
## Associated Threat Actors
Currently, HashJack is described as a newly discovered technique rather than an established threat actor toolset. It is being used by malicious actors exploiting emergent AI browser vulnerabilities.
## Detection Methods
- Signature-based detection: Ineffective against the URL structure itself, as it leverages valid URL syntax on legitimate domains.
- Behavioral detection: Crucial for detecting the *result* of the injection, such as unauthorized outbound network activity triggered by the LLM's instructions.
- YARA rules: Not directly applicable to URL parsing, but potentially useful for detecting known malicious instruction patterns if the attack payload is standardized.
## Mitigation Strategies
* **AI Governance:** Implement strict policies regarding which AI assistants/features are permitted to run within the browser environment.
* **Fragment Blocking:** Implement client-side defenses or browser configuration changes to block, sanitize, or ignore input within the URL fragment identifier (`#`) when processing context for the LLM.
* **Client-Side Monitoring:** Monitor the actions and context being consumed by agent-capable AI browsers, looking past standard network egress points.
* **Vendor Patching:** Ensure AI browsers (Copilot, Gemini, etc.) are updated, as Microsoft and Perplexity issued fixes in response to the disclosure, while Google classified it differently ("won't fix (intended behavior)").
## Related Tools/Techniques
* **Direct Prompt Injection:** Where malicious instructions are explicitly entered by the user or appear obviously in the input field.
* **LLM Manipulation Attacks:** Broader category encompassing techniques aimed at confusing or subverting Large Language Models.