Ad blockers and VPNs are supposed to protect your privacy, but four popular browser extensions have been doing just the opposite. According to research from Koi Security, these pernicious plug-ins have been harvesting the text of chatbot conversations from more than 8 million people and sending them back to the developers.
The four seemingly helpful extensions are Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker. They’re distributed via the Chrome Web Store and Microsoft Edge Add-ons, but include code designed to capture and transmit browser-based interactions with popular AI tools.
“Urban VPN Proxy targets conversations across ten AI platforms,” said Idan Dardikman, co-founder and CTO of Koi, in a blog post published Monday.
The research firm said that the platforms targeted include ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI.
“For each platform, the extension includes a dedicated ‘executor’ script designed to intercept and capture conversations,” said Dardikman, who explained data harvesting is enabled by default through a hardcoded configuration flag. “There is no user-facing toggle to disable this. The only way to stop the data collection is to uninstall the extension entirely.”
According to Dardikman, the Urban VPN Proxy extension monitors the user’s browser tabs and, when the user visits one of the targeted platforms (e.g., chatgpt.com), it injects the “executor” script into the page.
“Once injected, the script overrides fetch() and XMLHttpRequest – the fundamental browser APIs that handle all network requests,” he explained. “This is an aggressive technique. The script wraps the original functions so that every network request and response on that page passes through the extension’s code first.”
The script parses the intercepted API responses and then packages and transmits the data via window.postMessage to the extension’s content script, along with the identifier PANELOS_MESSAGE. The content script then passes the data to a background service worker for exfiltration over the network to endpoints at analytics.urban-vpn.com and stats.urban-vpn.com.
The Register reached out to Urban VPN, affiliated company BiScience, and 1ClickVPN at their respective privacy email addresses. All three requests bounced.
Pointing to prior investigative material published by security researcher Wladimir Palant and John Tuckner of Secure Annex that details BiScience’s collection of clickstream/browsing history data, Dardikman said his company’s findings show BiScience expanding into the collection of AI conversations.
He notes that while Urban VPN does disclose AI data collection during the setup prompt and in its privacy policy, the Chrome Web Store listing indicates that data is not being sold to third parties outside approved use cases and that AI conversations are not specifically mentioned.
“The consent prompt frames AI monitoring as protective,” he said. “The privacy policy reveals the data is sold for marketing.” He adds that users who installed Urban VPN prior to July 2025 would have never seen the consent prompt, which was added via a silent update with version 5.5.0.
He also argues that the software provides no indication that data collection happens even when the VPN is not active.
Dardikman notes that Urban VPN received a Featured Badge from the Chrome Web Store team.
“This means a human at Google reviewed Urban VPN Proxy and concluded it met their standards,” he said. “Either the review didn’t examine the code that harvests conversations from Google’s own AI product (Gemini), or it did and didn’t consider this a problem.”
He observes that the Chrome Web Store policies explicitly prohibit transferring or selling user data to third party data brokers like BiScience.
Google did not immediately respond to a request for comment.
The problem appears to be a loophole in Google’s Chrome Web Store Limited Use policy, which allows data to be transferred to third parties for limited scenarios (e.g., security or business ownership change) that do not include transferring data to data brokers.
Palant in his post suggests that BiScience and its affiliated partners implement user-facing features that allegedly require access to browsing history, to claim the “necessary to providing or improving your single purpose” exception that allows limited data transfer to third parties. Or they claim the security exception by implementing safe browsing or ad blocking features.
“Chrome Web Store appears to interpret their policies as allowing the transfer of user data, if extensions claim Limited Use exceptions through their privacy policy or other user disclosures,” Palant wrote. “Unfortunately, bad actors falsely claim these exceptions to sell user data to third parties.”
“If you have any of these extensions installed, uninstall them now,” Dardikman concluded. “Assume any AI conversations you’ve had since July 2025 have been captured and shared with third parties.” ®