Israeli cybersecurity researchers have identified a critical vulnerability in popular AI-powered browsers that allows any legitimate website to be transformed into a potential hacking tool, without the need for attackers to breach the sites themselves. The discovery was made by the Cato CTRL research group of Cato Networks and involves widely used AI tools, including Google’s Gemini, Microsoft’s Copilot, and Perplexity’s Comet.
The research outlined a series of primary attack scenarios in which cybercriminals can manipulate AI assistants to display fake phone numbers and links when users request customer service contact information for various organizations. These scenarios could lead to the unauthorized extraction of sensitive user data, the theft of login credentials, dissemination of false information, and the creation of misleading narratives that could influence users’ decisions without their knowledge.
The technique leveraged by attackers is termed HashJack. This method requires the addition of malicious instructions to a legitimate website address, which are then distributed to potential victims. When a user accesses the modified website, the malicious prompts interact with smart AI assistants such as Gemini and Copilot, triggering the attack scenarios.
According to Cato Networks, traditional defense systems are unable to detect these attacks because they exploit prompts embedded in the website address after the hashtag symbol (#), a process that operates outside the browser’s visible work. This method capitalizes on users’ trust in legitimate websites, utilizing link addresses that appear credible, making it difficult for users to suspect any malicious intent, as opposed to traditional phishing sites that often raise red flags.
The ability of attackers to transform even legitimate sites into tools for malicious activities illustrates a new subcategory of cyber threats in the AI landscape. The implications of this vulnerability are significant, as it suggests that many trusted websites could unwittingly become vessels for cybercrime, all without the need for an actual breach of those sites.
Cato Networks has stated that they informed the companies whose tools were found to contain these vulnerabilities well in advance, allowing them to address the issues before user exposure. This proactive approach is often referred to in the cybersecurity field as “white hat hacking.” According to their data, a fix was applied to Microsoft’s Copilot for the Edge browser on October 27, 2025. In the Comet browser, the issue was reported to have been resolved on November 18, 2025. However, as of November 25, 2025, no resolution had been implemented for Gemini on Chrome.
The discovery highlights the ongoing challenges faced by both users and technology companies in maintaining cybersecurity in an increasingly complex digital landscape. As reliance on AI tools continues to grow, the need for robust protective measures becomes even more crucial, with the potential for new threats emerging alongside innovations. Stakeholders in the industry are expected to closely monitor these developments, as this vulnerability serves as a reminder of the inherent risks associated with the integration of AI technologies into everyday browsing experiences.
See also
Congress Summons Anthropic CEO Amid First AI-Orchestrated Cyberattack Linked to China
Endpoint Security Market to Reach $23.9B by 2030 with 7.2% CAGR Amid Rising Cyber Threats
Trend Micro Launches AI Security Package to Mitigate Risks in AI Application Lifecycle
Borderless CS Launches AI-Driven SOC and MDR Services for Enhanced Cyber Defence
Athena Security Launches AI X-Ray System to Detect Drone Components Before Threats Emerge
