Perplexity’s AI-powered browser **Comet** was exposed to **HashJack**, a critical indirect prompt injection vulnerability exploiting URL fragments (after the ‘#’ symbol) to execute hidden malicious instructions. The flaw allowed threat actors to bypass traditional security systems—such as server logs, network monitoring, and content security policies—by embedding deceptive prompts (e.g., callback phishing, data exfiltration, misinformation, malware guidance, medical harm, and credential theft) that appeared as legitimate AI-generated responses. Users were tricked into divulging sensitive financial/personal data, installing backdoors, or following harmful medical advice, all while the attack remained undetected due to client-side processing of URL fragments.Perplexity initially dismissed the report but later classified it as **critical severity (P1)**, deploying fixes by **November 18, 2025**. The incident highlights systemic risks in AI browsers, where LLM susceptibility to prompt injection and flawed URL-handling design enable large-scale deception, financial fraud, and operational disruptions. The attack’s stealth and automation potential—particularly in agentic browsers—posed severe reputational, financial, and trust-based damages, with long-term implications for user safety and regulatory compliance.
Source: https://cyberpress.org/hashjack-a-new-attack/
Perplexity cybersecurity rating report: https://www.rankiteo.com/company/perplexity-ai
"id": "PER3034930112625",
"linkid": "perplexity-ai",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Users of Microsoft Edge Copilot',
'industry': 'Technology',
'location': 'Redmond, Washington, USA',
'name': 'Microsoft',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'Users of Google Gemini for '
'Chrome',
'industry': 'Technology',
'location': 'Mountain View, California, USA',
'name': 'Google',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': 'Users of Perplexity Comet',
'industry': 'AI/Technology',
'location': 'San Francisco, California, USA',
'name': 'Perplexity AI',
'size': 'Medium',
'type': 'Corporation'}],
'attack_vector': ['Malicious URL Fragments (Post-‘#’)',
'AI Assistant Context Poisoning',
'Client-Side Execution'],
'customer_advisories': ['Users advised to avoid clicking AI-generated links '
'from untrusted URLs.',
'Recommend disabling AI assistant features in '
'browsers until patches are applied (for Google '
'Gemini).'],
'data_breach': {'data_exfiltration': ['Automated (via Agentic Browsers like '
'Comet)'],
'personally_identifiable_information': ['Credentials',
'Financial Records',
'Personal Details'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Financial Data',
'Personal Data',
'Credentials',
'Medical Information (via '
'Misinformation)',
'IoT Device Access']},
'date_publicly_disclosed': '2025-08-20',
'description': 'A newly discovered indirect prompt injection technique called '
'HashJack exploits a critical design flaw in AI-powered '
'browsers (e.g., Perplexity’s Comet, Microsoft Edge Copilot, '
'Google’s Gemini for Chrome). Threat actors conceal malicious '
'instructions after the ‘#’ symbol in legitimate URLs, which '
'are executed by AI assistants without detection by '
'traditional security systems. The attack leverages URL '
'fragments (client-side only) to bypass server logs, network '
'monitoring, and content security policies. Six attack '
'scenarios were identified, including callback phishing, data '
'exfiltration, misinformation, malware guidance, medical harm, '
'and credential theft.',
'impact': {'brand_reputation_impact': ['High (Due to AI Manipulation and '
'Undetectable Attacks)'],
'data_compromised': ['Sensitive Financial Data',
'Personal Data',
'Credentials'],
'identity_theft_risk': ['High (Via Credential Theft and PII '
'Exposure)'],
'operational_impact': ['Automated Data Exfiltration',
'Unauthorized AI Assistant Actions',
'User Trust Erosion'],
'payment_information_risk': ['High (Financial Data Exfiltration)'],
'systems_affected': ['AI-Powered Browsers (Perplexity Comet, '
'Microsoft Edge Copilot, Google Gemini for '
'Chrome)',
'User Devices',
'IoT Devices (via Malware Guidance)']},
'initial_access_broker': {'backdoors_established': ['Via Malware Guidance '
'Scenarios (IoT/Device '
'Compromise)'],
'entry_point': 'Malicious URL Fragments (Post-‘#’) '
'in Legitimate Websites',
'high_value_targets': ['Financial Data',
'Personal Identifiable '
'Information (PII)',
'Credentials',
'Medical Data']},
'investigation_status': [{'entity': 'Microsoft',
'status': 'Resolved (2025-10-27)'},
{'entity': 'Google',
'status': 'Unresolved (Ongoing as of 2025-11-25)'},
{'entity': 'Perplexity',
'status': 'Resolved (2025-11-18)'}],
'lessons_learned': ['AI browsers must exclude URL fragments from LLM context '
'to prevent prompt injection.',
'Client-side-only attacks evade traditional security '
'tools, requiring new detection frameworks.',
'User trust in AI assistants can be exploited via '
'seemingly legitimate URLs.',
'Proactive security research is critical for emerging '
'AI-driven attack surfaces.'],
'motivation': ['Financial Gain',
'Data Theft',
'Misinformation',
'Credential Harvesting',
'Malware Distribution',
'Medical Harm'],
'post_incident_analysis': {'corrective_actions': ['Patch AI browsers to '
'exclude fragments from LLM '
'context '
'(Microsoft/Perplexity).',
'Develop fragment-aware '
'security tools for '
'client-side monitoring.',
'Implement user warnings '
'for AI-generated content '
'from external URLs.',
'Establish industry '
'standards for secure AI '
'browser design.'],
'root_causes': ['AI browsers treating URL '
'fragments as legitimate context '
'for LLMs.',
'Lack of fragment inspection in '
'security tools (server-side and '
'network-level).',
'Over-reliance on client-side '
'execution without validation.',
'Design flaw in AI assistant '
'architecture (trusting '
'unvalidated URL inputs).']},
'recommendations': ['Exclude URL fragments from AI assistant context windows.',
'Implement client-side monitoring for malicious prompt '
'execution.',
'Educate users on the risks of AI-generated suggestions '
'from untrusted sources.',
'Develop standardized security frameworks for AI-powered '
'browsers.',
'Enhance collaboration between AI vendors and security '
'researchers.'],
'references': [{'source': 'Cato CTRL Security Research'}],
'response': {'enhanced_monitoring': ['Fragment Inspection in AI Context '
'Windows (Proposed)'],
'incident_response_plan_activated': [{'entity': 'Microsoft',
'fix_date': '2025-10-27',
'status': 'Acknowledged '
'(2025-08-20)'},
{'entity': 'Google',
'fix_date': None,
'status': 'Classified as '
"'Intended "
"Behavior' (Low "
'Severity, '
'2025-10-03)'},
{'entity': 'Perplexity',
'fix_date': '2025-11-18',
'status': 'Initially '
'Dismissed; '
'Later Triaged '
'as Critical '
'(P1, '
'2025-10-10)'}],
'remediation_measures': ['Microsoft: Patch Released (2025-10-27)',
'Perplexity: Fixes Applied (2025-11-18)',
'Google: No Remediation (Ongoing as of '
'2025-11-25)'],
'third_party_assistance': ['Cato CTRL (Security Research)']},
'title': 'HashJack: Indirect Prompt Injection Exploit in AI-Powered Browsers',
'type': ['Prompt Injection',
'AI Manipulation',
'Client-Side Attack',
'Social Engineering'],
'vulnerability_exploited': ['AI Browser Design Flaw (Fragment Inclusion in '
'Context)',
'LLM Susceptibility to Prompt Injection',
'Lack of Fragment Inspection in Security Tools']}