A Google Chrome extension with a “Featured” badge and six million users quietly gathers every prompt users enter into artificial intelligence (AI)-powered chatbots such as OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity.
The extension in question, Urban VPN Proxy, holds a 4.7 rating on the Google Chrome Web Store. It advertises itself as the “best secured Free VPN access to any website, and unblock content.” A Delaware-based company named Urban Cyber Security Inc. develops the extension. On the Microsoft Edge Add-ons marketplace, the extension counts 1.3 million installations.
However, despite claiming that it allows users to “protect your online identity, stay protected, and hide your IP,” the developer pushed an update to users on July 9, 2025. With the release of version 5.5.0, the extension enabled AI data harvesting by default through hard-coded settings.
How the Extension Intercepts AI Conversations
Specifically, the extension accomplishes this collection through a tailored executor JavaScript that triggers for each AI chatbot (i.e., chatgpt.js, claude.js, gemini.js). As a result, the script intercepts and gathers conversations every time a user with the extension installed visits any of the targeted platforms.
Once the script injects itself, it overrides the browser APIs responsible for handling network requests—fetch() and XMLHttpRequest(). Consequently, every request first routes through the extension’s code, allowing it to capture conversation data, including user prompts and chatbot responses, and exfiltrate that information to two remote servers (“analytics.urban-vpn[.]com” and “stats.urban-vpn[.]com”).
The extension captures the following data:
- Prompts entered by the user
- Chatbot responses
- Conversation identifiers and timestamps
- Session metadata
- AI platform and model used
“Chrome and Edge extensions auto-update by default,” Koi Security’s Idan Dardikman said in a report published today. “Users who installed Urban VPN for its stated purpose – VPN functionality – woke up one day with new code silently harvesting their AI conversations.”
Privacy Policy Disclosures and Claimed Safeguards
Meanwhile, Urban VPN’s updated privacy policy, dated June 25, 2025, states that the company collects this data to enhance Safe Browsing and for marketing analytics purposes. The policy further claims that any secondary use of gathered AI prompts relies on de-identified and anonymized data:
As part of the Browsing Data, we will collect the prompts and outputs quired [sic] by the End-User or generated by the AI chat provider, as applicable. Meaning, we are only interested in the AI prompt and the results of your interaction with the chat AI.
Due to the nature of the data involved in AI prompts, some sensitive personal information may be processed. However, the purpose of this processing is not to collect personal or identifiable data, we cannot fully guarantee the removal of all sensitive or personal information, we implement measures to filter out or eliminate any identifiers or personal data you may submit through the prompts and to de-identify and aggregate the data.
In addition, Urban VPN shares “Web Browsing Data” with an affiliated ad intelligence and brand monitoring firm named BIScience. According to the VPN provider, BIScience uses the raw, non-anonymized data to generate insights that are “commercially used and shared with Business Partners.”
Notably, BiScience—which also owns Urban Cyber Security Inc.—came under scrutiny earlier this January when an anonymous researcher accused the company of collecting users’ browsing history, or clickstream data, under misleading privacy policy disclosures.
The company allegedly supplies a software development kit (SDK) to partner third-party extension developers. This SDK collects clickstream data from users and transmits it to the sclpfybn[.]com domain and other endpoints under the company’s control.
“BIScience and partners take advantage of loopholes in the Chrome Web Store policies, mainly exceptions listed in the Limited Use policy, which are the ‘approved use cases,'” the researcher noted, adding they “develop user-facing features that allegedly require access to browsing history, to claim the ‘necessary to providing or improving your single purpose’ exception.”
“AI Protection” Feature and Its Limitations
On its extension listing page, Urban VPN also promotes an “AI protection” feature. According to the description, the feature checks prompts for personal data, scans chatbot responses for suspicious or unsafe links, and displays a warning before users submit prompts or click on them.
Although the company frames this monitoring as a way to prevent users from accidentally sharing personal information, the developers fail to disclose that the extension collects data regardless of whether users enable this feature.
“The protection feature shows occasional warnings about sharing sensitive data with AI companies,” Dardikman said. “The harvesting feature sends that exact sensitive data – and everything else – to Urban VPN’s own servers, where it’s sold to advertisers. The extension warns you about sharing your email with ChatGPT while simultaneously exfiltrating your entire conversation to a data broker.”
Furthermore, Koi Security identified identical AI harvesting functionality in three additional extensions from the same publisher across Chrome and Microsoft Edge. Together, these extensions exceed eight million total installations:
- 1ClickVPN Proxy
- Urban Browser Guard
- Urban Ad Blocker
All of these extensions—except Urban Ad Blocker for Edge—carry the “Featured” badge. This designation suggests that the extensions follow platform “best practices and meet a high standard of user experience and design.”
Abuse of Marketplace Trust Signals
“These badges signal to users that the extensions have been reviewed and meet platform quality standards,” Dardikman explained. “For many users, a Featured badge is the difference between installing an extension and passing it by – it’s an implicit endorsement from Google and Microsoft.”
Ultimately, these findings once again show how attackers can exploit trust signals within extension marketplaces to collect sensitive data at scale. This risk becomes even more pronounced as users increasingly share deeply personal information, seek advice, and discuss emotions with AI chatbots.
Source: TheHackerNews
Read more at Impreza News
