Security researcher Bar Lanyado from Appsec Phoenix has disclosed a novel attack technique named HashJack. This method is an indirect prompt injection attack designed to manipulate Large Language Models (LLMs) and AI chatbots by exploiting how they process URL fragments.

The attack targets AI-powered browser extensions, such as those for Google’s Gemini and OpenAI’s ChatGPT, which have permissions to read content from a user’s active web page. The HashJack technique weaponizes legitimate websites without requiring any compromise of the site itself.

How the HashJack Attack Works

The HashJack attack leverages the URL fragment, which is the part of a URL that follows a hash (#) symbol. An attacker crafts a specific URL containing a malicious prompt hidden within this fragment. This URL is then shared with a potential victim.

When the victim opens the link, any active LLM-powered browser extension that scans the page content will also read the full URL, including the malicious fragment. The LLM then interprets the text in the fragment not as a location on the page, but as a direct instruction. This causes the AI assistant to perform actions unintended by the user, based on the attacker’s hidden command.

Demonstrated Impact and Vendor Response

Lanyado developed a proof-of-concept to demonstrate the real-world impact of the HashJack attack. The demonstration showed that a specially crafted URL could trick an AI assistant into accessing a user’s private emails and then creating a markdown link. If the user clicked this link, their private email data would be sent to an attacker-controlled server.

The researcher responsibly disclosed his findings to both Google and OpenAI. In response, Google acknowledged the report but classified the issue as an “unintended product interaction,” stating it did not meet the criteria for a security vulnerability. OpenAI also acknowledged receipt of the report. Lanyado maintained that the technique should be treated as a vulnerability due to its demonstrated ability to exfiltrate personally identifiable information (PII).

Source: https://www.infosecurity-magazine.com/news/hashjack-indirect-prompt-injection/