Google Chrome extensions with the “Featured” badge and 6 million users have been observed silently collecting all prompts entered by users into artificial intelligence (AI)-powered chatbots such as OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity.
The extension in question is Urban VPN Proxy, which has a rating of 4.7 on the Google Chrome Web Store. It’s advertised as “the most secure free VPN to access any website and unblock content.” Its developer is a Delaware-based company called Urban Cyber Security Inc. The Microsoft Edge Add-on Marketplace has 1.3 million installations.
Despite claiming to allow users to “protect your online identity, stay protected, and hide your IP,” the extension was updated on July 9, 2025 to release version 5.5.0, enabling AI data collection by default with hardcoded settings.
Specifically, this is achieved through a customized executable JavaScript that is triggered for each AI chatbot (chatgpt.js, claude.js, gemini.js) to intercept and collect conversations whenever a user with the extension installed visits one of the target platforms.
Once injected, the script overrides the browser APIs used to handle network requests (fetch() and XMLHttpRequest()), routes all requests first through the extension’s code, and captures and extracts conversation data, including user prompts and chatbot responses, to two remote servers (‘analytics.urban-vpn’).[.]com” and “stats.urban-vpn”[.]com”).
Here is the exact list of data captured by this extension:
Prompts entered by the user Chatbot responses Conversation identifiers and timestamps Session metadata AI platforms and models used
“Chrome and Edge extensions are automatically updated by default,” Koi Security’s Idan Dardikman said in a report published today. “Users who installed Urban VPN for the stated purpose of VPN functionality woke up one day to find new code silently collecting AI conversations.”
It is worth mentioning that Urban VPN’s updated Privacy Policy dated June 25, 2025 states that we collect this data for the purpose of enhancing Safe Browsing and marketing analysis, and that any other secondary uses of the collected AI prompts will be performed on anonymized and de-identified data.
We collect the required prompts and output as part of your browsing data. [sic] Generated by the end user or by the AI chat provider, as appropriate. In other words, we are only interested in the AI prompts and the results of our interactions with the chat AI.
Due to the nature of the data contained in AI prompts, some sensitive personal information may be processed. However, the purpose of this processing is not to collect personal or personally identifiable data and we cannot completely guarantee the deletion of all sensitive or personal information. We implement measures to filter or remove identifiers or personal data submitted through prompts, and to anonymize and aggregate data.
One of the third parties with which we share “web browsing data” is an affiliated advertising intelligence and brand monitoring company named BIScience. The company uses raw (non-anonymized) data to create insights, and those data are “used commercially and shared with business partners,” the VPN software maker said.
Notably, BiScience, which is also part of Urban Cyber Security, was called out by anonymous researchers earlier this year for collecting users’ browsing history, or something called clickstream data, based on misleading privacy policy disclosures.
The company allegedly provided a software development kit (SDK) to its third-party extension developer partners to collect clickstream data from users and send it to sclpfybn.[.]com and other endpoints under its control.
“BIScience and its partners are exploiting loopholes in the Chrome Web Store policies, primarily leveraging the ‘approved use cases’ exceptions listed in the Limited Use Policy,” the researchers wrote, adding, “BIScience and its partners are developing features for users that require access to their browsing history in order to claim exceptions that are ‘necessary to serve or improve a single purpose.'”
On its extension listing page, Urban VPN also highlights its “AI Protection” feature, which it says will check the chatbot’s responses to personal data entry prompts, suspicious or unsafe links, and display a warning before the user submits or clicks on a prompt.
This monitoring is intended to prevent users from accidentally sharing personal information, but what the developers fail to mention is that data collection will occur whether or not this feature is enabled.
“Protection features will occasionally show warnings about sharing sensitive data with AI companies,” Durdikman said. “The harvester sends your precise sensitive data and everything else to Urban VPN’s own servers, where it is sold to advertisers. The extension warns you about sharing your email with ChatGPT, while also leaking the entire conversation to a data broker.”
Oi Security confirmed that the same AI collection functionality exists across Chrome and Microsoft Edge in three other proprietary extensions from the same publisher, with a total installed base of over 8 million.
1ClickVPN Proxy Urban Browser Guard Urban Ad Blocker
All of these extensions, except Urban Ad Blocker for Edge, carry a “Featured” badge, giving users the impression that they “follow best practices and meet high standards of user experience and design” for the platform.
“These badges let users know that the extension has been reviewed and meets the platform’s quality standards,” Dardikman noted. “For many users, the featured badge is the difference between installing an extension and leaving it alone. It’s a tacit endorsement from Google and Microsoft.”
This finding reiterates that the trust associated with extension marketplaces can be exploited to accumulate sensitive data at scale, especially as users increasingly share detailed personal information, seek advice, and discuss their feelings with AI chatbots.
Hacker News has reached out to both Google and Microsoft for comment and will update the article if we hear back.
Source link
