"Prompt injection occurs when something causes text that the user didn't write to become commands for an AI bot. Direct prompt injection happens when unwanted text gets entered at the point of prompt input, while indirect injection happens when content, such as a web page or PDF that the bot has been asked to summarize, contains hidden commands that AI then follows as if the user had entered them."
"Cato describes HashJack as "the first known indirect prompt injection that can weaponize any legitimate website to manipulate AI browser assistants." It outlines a method where actors sneak malicious instructions into the fragment part of legitimate URLs, which are then processed by AI browser assistants such as Copilot in Edge, Gemini in Chrome, and Comet from Perplexity AI. Because URL fragments never leave the AI browser, traditional network and server defenses cannot see them, turning legitimate websites into attack vectors."
An attack named HashJack hides malicious prompts in the fragment portion of legitimate URLs by appending a '#' and injecting commands after it. AI browser assistants can read and execute those fragments locally, enabling indirect prompt injection that bypasses network and server-side defenses because URL fragments never leave the browser. The technique can weaponize any legitimate website to manipulate assistants like Copilot, Gemini, and Comet. Outcomes include data exfiltration, phishing, misinformation, malware guidance, and potentially harmful medical advice such as incorrect dosages. Traditional defenses and server-side controls are ineffective against this attack vector, increasing risk to users.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]