A new vulnerability dubbed "HashJack" allows attackers to conceal malicious instructions within the fragment identifier (the part following a '#' symbol) of a web address. This technique exploits how AI browser assistants, like Google Gemini and Microsoft Copilot, read and process the entire URL, including segments normally ignored by web servers. By hiding commands in a trusted website's URL, attackers can manipulate the AI's behavior without needing to compromise the site itself.
The hidden instructions can lead to severe consequences, including credential theft by redirecting users to fake login pages, providing dangerously false medical advice, or in more advanced "agentic" modes, automatically exfiltrating sensitive user data. The AI could even be tricked into giving step-by-step guides for risky system changes, such as opening network ports or downloading malware.
Upon disclosure, Microsoft and Perplexity promptly patched their respective AI browsers, Copilot and Comet. However, Google has reportedly declined to fix the issue for its Gemini assistant, classifying the behavior as intended. This new class of threat highlights a critical gap in AI security, where traditional defenses are bypassed, and the very design of AI assistants introduces novel risks that require urgent vendor attention.
Read more...