Overview
- Cato CTRL detailed how prompts hidden after a URL’s # can manipulate assistants in AI browsers without altering the destination page.
- Microsoft confirmed the issue and fixed Copilot in Edge on October 27, and Perplexity issued a final Comet fix on November 18.
- Google classified the behavior as low severity and “Won’t Fix (Intended Behavior)” for Gemini in Chrome.
- Testing showed agentic models like Comet could be induced to exfiltrate user data, while some systems such as Claude for Chrome and OpenAI’s Atlas resisted the technique.
- Cato urged layered, client-side defenses, including fragment sanitization, restricting assistant capabilities, and local monitoring, given that traditional network and server tools miss fragments.