Politics

AI browser vulnerabilities expose new cyberattack frontiers with 'HashJack' and PromptLock

Monday, 1 December 2025 7:19PM UTC

Enhancements in agentic AI browsers are bringing revolutionary user interactions but also opening up sophisticated threats like prompt injection, indirect exploits, and AI-powered ransomware, prompting urgent calls for improved cybersecurity measures.

Agentic AI browsers, web browsers enhanced with artificial intelligence capable of reasoning and performing complex tasks, are rapidly gaining traction, promising powerful new ways to interact with the internet. However, these innovations have simultaneously opened novel avenues for cyberattacks, particularly prompt injection attacks, which exploit how AI processes input data to manipulate its behaviour or extract sensitive information.

Prompt injection attacks involve inserting malicious instructions into the textual prompts that AI systems receive, causing unexpected, biased, or even harmful outputs. These can range from generating incorrect or offensive responses to more serious consequences like phishing, data theft, or misinformation. Google’s Red Team has identified prompt injection among the prevalent abuse methods targeting AI systems, along with data poisoning and backdoors. A particularly alarming form of exploitation is indirect prompt injection, where legitimate websites are weaponised to deliver hidden instructions to AI assistants embedded in browsers. Known as "HashJack," this method exploits URL fragments, portions of a website address often ignored by users, that do not leave the browser and evade traditional security scrutiny. When a victim interacts with such a site via an AI browser assistant, the embedded malicious prompts can trigger phishing attacks, data exfiltration, or the dissemination of dangerous false information, including incorrect medical advice.

One high-profile example of this vulnerability surfaced in Perplexity AI’s Comet browser, which provides AI-powered summarisation and assistance features. Security audits by firms like Brave and Guardio revealed that Comet was susceptible to indirect prompt injections that let attackers execute harmful commands, potentially compromising user accounts and sensitive data. The issue was underscored by LayerX cybersecurity, which dubbed the exploit "CometJacking", hidden URL prompts manipulating AI to leak personal content such as emails and calendar information. Though Perplexity initially minimised the severity of the flaw, they have since patched it, asserting that no exploitation occurred so far. These incidents underline wider concerns that integrating AI capabilities into browsers without mature security frameworks can expose users to new risks, especially when the AI’s decision-making is trusted blindly.

Beyond browsers, prompt injection risks span other AI applications. Meta AI’s chatbot system was found to have a flaw last year allowing users to access other users’ private prompts and generated responses by tweaking network traffic identifiers. This breach, patched promptly by Meta after disclosure by security researcher Sandeep Hodkasia, highlights that even established AI providers have struggled to secure user data fully, reinforcing the necessity for vigilant security practices in AI deployments.

Similarly, generative AI used in complex enterprise environments can be manipulated through second-order prompt injection. ServiceNow’s Now Assist platform, for example, enables task delegation between AI agents. Researchers discovered that a low-privilege agent could be tricked into issuing malicious requests carried out by higher-privileged agents, effectively turning the AI into a malicious insider capable of exposing sensitive corporate data. In this case, the vulnerability stemmed from default configuration settings rather than a technical bug, prompting experts to recommend enhanced oversight, disabling autonomous overrides, and strict role segmentation to mitigate these threats.

Meanwhile, security researchers have uncovered even more worrying AI-enabled cybercrime innovations. ESET recently identified "PromptLock," possibly the first AI-powered ransomware strain. By leveraging OpenAI's gpt-oss:20b model, PromptLock autonomously generates malicious code that can scan, steal, encrypt, or destroy data across platforms, signalling a new era where AI automation heightens the complexity and scale of cyberattacks. Although currently a proof-of-concept without direct destructive impact, PromptLock underscores the urgency of proactive cybersecurity in the AI age.

Given these layered threats, from browser-based prompt injections and phishing to advanced insider attacks and AI-automated ransomware, users and developers alike must exercise caution. Experts advise users to avoid sharing sensitive information through AI browsers, maintain up-to-date software, remain sceptical of AI-generated content, verify links and contact details rigorously, and employ security measures like multi-factor authentication and VPNs to bolster protection. At the development level, continuous security audits, prompt patching, configuration hardening, and supervising AI behaviour are essential steps to limit exploitation.

While AI-powered browsers and assistants hold great promise for enhancing productivity and user experience, their rapid deployment has outpaced the establishment of robust security practices, resulting in significant vulnerabilities. The evolving landscape demands heightened awareness and responsibility both from providers and users to navigate the balance between innovation and safety in an increasingly AI-integrated digital world.

📌 Reference Map:

^[1] (ZDNET) - Paragraphs 1, 2, 3, 6, 7, 8, 9
^[5] (The Register) - Paragraph 3
^[2] (Tom's Hardware) - Paragraph 4
^[6] (TIME) - Paragraph 4
^[3] (Tom's Guide) - Paragraph 5
^[4] (TechRadar) - Paragraph 6
^[7] (IT Pro) - Paragraph 7

Source: Noah Wire Services

More on this

https://www.zdnet.com/article/use-an-ai-browser-5-ways-to-protect-yourself-from-prompt-injections-before-its-too-late/ - Please view link - unable to able to access data
https://www.tomshardware.com/tech-industry/cyber-security/perplexitys-ai-powered-comet-browser-leaves-users-vulnerable-to-phishing-scams-and-malicious-code-injection-brave-and-guardios-security-audits-call-out-paid-ai-browser - Security audits by Brave and Guardio have uncovered significant vulnerabilities in Perplexity's Comet AI-powered browser, launched in July 2025. The 'Summarize this webpage' feature can be manipulated via indirect prompt injections, allowing malicious actors to exploit the browser's AI to execute harmful commands. This could lead to unauthorized access to users' Perplexity accounts, sensitive data, and various digital services. Additionally, Comet is susceptible to basic online scams and phishing tricks, such as prompting users to input banking credentials into fake websites. Both companies emphasize that AI trust introduces new security dangers, as user judgment is bypassed and AI decision-making can be unreliable. ([tomshardware.com](https://www.tomshardware.com/tech-industry/cyber-security/perplexitys-ai-powered-comet-browser-leaves-users-vulnerable-to-phishing-scams-and-malicious-code-injection-brave-and-guardios-security-audits-call-out-paid-ai-browser?utm_source=openai))
https://www.tomsguide.com/computing/online-security/meta-ai-was-leaking-chatbot-prompts-and-answers-to-unauthorized-users - A vulnerability found in Meta AI's chatbot system last year allowed users to access private prompts and AI-generated responses from other users due to a security flaw. Discovered by Sandeep Hodkasia, founder of AppSecure, the issue was reported to Meta on December 26, 2024, and fixed by January 24, 2025. The flaw involved modifying a unique identifier in the browser's network traffic, which enabled unauthorized access to others’ chatbot interactions without permission checks on the server. Meta has since patched the flaw, awarded a $10,000 bug bounty to Hodkasia, and stated there was no evidence of the vulnerability being exploited in the wild. This incident follows a previous breach in which Meta AI conversations were unintentionally made public, emphasizing the importance of securing chatbot conversations, especially when they may include sensitive data. ([tomsguide.com](https://www.tomsguide.com/computing/online-security/meta-ai-was-leaking-chatbot-prompts-and-answers-to-unauthorized-users?utm_source=openai))
https://www.techradar.com/pro/security/second-order-prompt-injection-can-turn-ai-into-a-malicious-insider - Security researchers at AppOmni have identified a critical vulnerability in ServiceNow's Now Assist generative AI platform, termed 'second-order prompt injection,' which could effectively transform the AI into a malicious insider. Now Assist facilitates agent-to-agent collaboration, where one AI agent can delegate tasks to another. This collaboration can be exploited: a lower-privileged agent can be tricked into issuing harmful requests that higher-privileged agents complete, such as data theft or privilege escalation, all without human oversight. The researchers demonstrated how a deceptively crafted input could prompt a low-level AI agent to create a task that is then interpreted and executed by a high-privilege agent, causing sensitive data—including personal and audit details—to be leaked to an external endpoint. Critically, this behavior is not a bug, but rather a result of default configuration settings within the platform. ServiceNow has acknowledged the issue but stated that the system behaves as designed; they’ve only updated documentation to better highlight potential risks. AppOmni recommends mitigating the threat by enabling supervised modes for privileged agents, disabling autonomous override features, segmenting responsibilities, and monitoring AI behavior closely. ([techradar.com](https://www.techradar.com/pro/security/second-order-prompt-injection-can-turn-ai-into-a-malicious-insider?utm_source=openai))
https://www.theregister.com/2025/11/25/hashjack_attack_ai_browser_hashtag/ - Cato describes HashJack as 'the first known indirect prompt injection that can weaponize any legitimate website to manipulate AI browser assistants.' It outlines a method where actors sneak malicious instructions into the fragment part of legitimate URLs, which are then processed by AI browser assistants such as Copilot in Edge, Gemini in Chrome, and Comet from Perplexity AI. Because URL fragments never leave the AI browser, traditional network and server defenses cannot see them, turning legitimate websites into attack vectors. The new technique works by appending a '#' to the end of a normal URL, which doesn't change its destination, then adding malicious instructions after that symbol. When a user interacts with a page via their AI browser assistant, those instructions feed into the large language model and can trigger outcomes like data exfiltration, phishing, misinformation, malware guidance, or even medical harm – providing users with information such as incorrect dosage guidance. ([theregister.com](https://www.theregister.com/2025/11/25/hashjack_attack_ai_browser_hashtag/?utm_source=openai))
https://time.com/7323827/ai-browsers-perplexity-comet/ - The TIME newsletter 'In the Loop' highlights growing concerns about AI-powered browsers, specifically addressing vulnerabilities in Perplexity's Comet browser. Comet, recently made free, features an integrated AI that can autonomously perform tasks like shopping and managing emails. However, cybersecurity firm LayerX discovered a major security flaw termed 'CometJacking', where hidden prompts in URLs tricked the AI into leaking personal data like emails and calendar info. Though Perplexity initially downplayed the issue, it later patched the vulnerability, asserting it was never exploited. This incident reflects a broader trend where the rush to embed AI into browsers could introduce novel security threats. Experts, like LayerX CEO Or Eshed, warn of a future where browsing becomes riskier. ([time.com](https://time.com/7323827/ai-browsers-perplexity-comet/?utm_source=openai))
https://www.itpro.com/security/ransomware/security-researchers-have-just-identified-what-could-be-the-first-ai-powered-ransomware-strain-and-it-uses-openais-gpt-oss-20b-model - Security researchers at ESET have identified what may be the first AI-powered ransomware strain, named 'PromptLock.' This malware utilizes OpenAI's recently released gpt-oss:20b model, deployed locally through the Ollama API, to create and execute malicious Lua scripts. These scripts enable the ransomware to scan files, steal data, and encrypt or potentially destroy it across multiple platforms—Windows, Linux, and macOS. PromptLock is built in Golang and uses the NSA-developed SPECK 128-bit encryption algorithm. A notable feature is its inclusion of a Bitcoin address associated with the pseudonymous cryptocurrency creator Satoshi Nakamoto. Though researchers highlight that PromptLock appears to be a proof-of-concept or a work in progress without destructive capabilities yet, its emergence marks a significant shift in cybersecurity threats. The use of AI for automating and enhancing ransomware attacks has been on the rise, with a recent Acronis study noting an increase in AI-driven social engineering attacks. Experts warn that we are entering a new era where cybercriminals could exploit AI for more advanced and unpredictable threats, urging the cybersecurity community to stay vigilant and proactive. ([itpro.com](https://www.itpro.com/security/ransomware/security-researchers-have-just-identified-what-could-be-the-first-ai-powered-ransomware-strain-and-it-uses-openais-gpt-oss-20b-model?utm_source=openai))

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 8

Notes: The narrative introduces the 'HashJack' technique, a recent discovery in AI browser vulnerabilities, with the earliest known publication date being November 25, 2025. ([catonetworks.com](https://www.catonetworks.com/blog/cato-ctrl-hashjack-first-known-indirect-prompt-injection/?utm_source=openai)) The report includes updated data and references to recent incidents, indicating a high level of freshness. However, the topic has been covered by multiple reputable outlets, suggesting some degree of recycled content. ([techradar.com](https://www.techradar.com/pro/thats-not-very-trendy-of-them-ai-browsers-can-be-hacked-with-a-simple-hashtag-experts-warn?utm_source=openai)) The narrative is based on a press release from Cato Networks, which typically warrants a high freshness score. No discrepancies in figures, dates, or quotes were found. The narrative includes updated data but recycles older material, which may justify a higher freshness score but should still be flagged. ([catonetworks.com](https://www.catonetworks.com/blog/cato-ctrl-hashjack-first-known-indirect-prompt-injection/?utm_source=openai))

Quotes check

Score: 9

Notes: The narrative includes direct quotes from Cato Networks' report on the 'HashJack' technique. The earliest known usage of these quotes is from the report published on November 25, 2025. ([catonetworks.com](https://www.catonetworks.com/blog/cato-ctrl-hashjack-first-known-indirect-prompt-injection/?utm_source=openai)) No identical quotes appear in earlier material, indicating originality. The wording of the quotes matches the original source, with no variations found.

Source reliability

Score: 7

Notes: The narrative originates from a reputable organisation, Cato Networks, known for its cybersecurity research. However, the report is based on a press release, which may present a biased perspective. The report is well-cited, referencing multiple reputable outlets, including ZDNet and The Register. ([techradar.com](https://www.techradar.com/pro/thats-not-very-trendy-of-them-ai-browsers-can-be-hacked-with-a-simple-hashtag-experts-warn?utm_source=openai)) No unverifiable entities are mentioned in the report.

Plausability check

Score: 8

Notes: The narrative presents a plausible scenario of AI browser vulnerabilities, supported by recent findings from reputable sources. The claims are consistent with known cybersecurity issues related to AI browsers. The narrative includes specific factual anchors, such as the 'HashJack' technique and its impact on AI browsers. The language and tone are consistent with the region and topic, with no inconsistencies noted. The structure is focused on the main claim, with no excessive or off-topic detail. The tone is appropriately formal and technical, resembling typical corporate or official language.

Overall assessment

Verdict (FAIL, OPEN, PASS): PASS

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The narrative presents a timely and plausible account of recent AI browser vulnerabilities, supported by original quotes from a reputable source. While based on a press release, the content is well-cited and consistent with known cybersecurity issues, warranting a high confidence in its accuracy.

AI security
Prompt injection
Cyberattacks