A newly identified security flaw in AI-enhanced web browsers allows attackers to weaponize legitimate websites for data theft, credential harvesting and disinformation without breaching the sites themselves, researchers said Tuesday.
The vulnerability, discovered by the Cato CTRL research team at Israeli cybersecurity firm Cato Networks, affects widely used AI browser assistants, including Google’s Gemini, Microsoft’s Copilot and Perplexity’s Comet.
Cyber breach in AI-enhanced browsers allows any website to become an attack vector
(Video: Cato Networks)
According to the report, attackers can manipulate these AI assistants into showing users fake customer-service phone numbers and fraudulent links, or extract sensitive data and send it to malicious destinations without the user’s knowledge. Other scenarios include stealing login credentials and inserting false information or narratives that could influence user decisions.
The attack method, which the researchers call HashJack, requires only that malicious instructions be added after the “#” symbol in a legitimate URL. When the user loads the page in an AI-enabled browser, the hidden text is processed by assistants such as Gemini or Copilot, triggering the attack.
Cato Networks said the technique evades traditional security tools because the URL fragment — everything after the “#” — never leaves the user’s browser and cannot be seen by network or server-side defenses.
Since both the URL and website appear legitimate, users have little reason to suspect anything is wrong, unlike in typical phishing attempts. The researchers warn that this allows any trustworthy website to function as an unwitting attack vector, even though it is never compromised.
Cato Networks said the findings point to a growing class of AI-driven cyber threats stemming from the way AI browser assistants interpret user context and page content.