Israeli cybersecurity researchers discovered a critical vulnerability in popular AI-powered browsers that transforms any legitimate website into a potential hacking tool without requiring attackers to breach the sites themselves.
The vulnerability was discovered by the Cato CTRL research group of cybersecurity company Cato Networks and originates in common AI tools, including Google's Gemini, Microsoft's Copilot, and Perplexity's Comet.
The research demonstrated primary attack scenarios in which attackers direct AI assistants to display fake phone numbers and links to users when they request customer service contact information for various organizations. The scenarios included extracting sensitive user data and sending it to malicious sources without the user's knowledge, stealing login credentials, displaying false information, and creating fake narratives that could influence the user and lead to wrong decisions.
The technique used by attackers is called HashJack. All they need to do is add a prompt – malicious instructions – to a legitimate website address and distribute it. Once a user loads the website address with the malicious addition in the browser, the instructions "communicate" with smart AI assistants, such as Google's Gemini or Microsoft's Copilot, and trigger attack scenarios.
According to Cato Networks, traditional defense systems do not detect the attack because they operate through prompts (instructions) embedded in the website address after the hashtag symbol # in a process that does not leave the browser's work.
The attack exploits users' trust in legitimate websites by using link addresses that appear legitimate. The user has no reason to suspect at any stage of the process, unlike phishing sites that look suspicious. This way, any legitimate site could become an attack tool – with attackers not even needing to breach the site itself. They exploit how AI browsers interpret instructions after the hashtag symbol. This effectively creates a new subcategory of cyber threats in the AI world.
According to the company's statement, the companies whose tools the vulnerabilities were identified in were informed well in advance of the problems so they could address them before users were exposed to threats (a practice known in the cyber field as "white hat hacker" hacking). According to Cato's data, a fix was applied in the Copilot for the Edge browser on October 27, 2025. In the Comet browser, a fix was reported to have been applied on November 18, 2025. In the Gemini for Chrome browser, as of November 25, 2025, the problem has not yet been resolved.
