What's Happening?
A Google Chrome extension, Urban VPN Proxy, with a 'Featured' badge and six million users, has been found to intercept and collect data from AI-powered chatbots such as OpenAI ChatGPT, Anthropic Claude,
and others. The extension, developed by Urban Cyber Security Inc., was updated in July 2025 to include a JavaScript executor that captures user prompts and chatbot responses. This data is then sent to remote servers for analysis. Despite its claims of providing secure VPN services, the extension's privacy policy indicates that collected data is used for marketing analytics and shared with third parties. The extension's 'AI protection' feature, which warns users about sharing personal data, does not prevent data collection. Similar data harvesting functionalities have been identified in other extensions by the same publisher, affecting over eight million users.
Why It's Important?
The incident highlights significant privacy concerns regarding browser extensions, especially those with 'Featured' badges that imply trustworthiness. Users of AI chatbots often share sensitive information, making the unauthorized collection of such data a serious breach of privacy. This situation underscores the potential for misuse of extension marketplaces, where trust can be exploited to gather personal data at scale. The involvement of third-party companies in analyzing and potentially selling this data raises further ethical and legal questions. The case also points to the need for stricter oversight and transparency in how browser extensions handle user data, as well as the importance of user awareness regarding the permissions granted to such tools.
What's Next?
The exposure of this data collection practice may prompt regulatory scrutiny and potential legal action against the developers. Google and Microsoft, whose platforms host these extensions, may face pressure to enhance their review processes and tighten policies to prevent similar incidents. Users might become more cautious about installing extensions, especially those that require extensive permissions. This could lead to a broader discussion on digital privacy and the responsibilities of tech companies in safeguarding user data. Additionally, there may be calls for more robust privacy standards and clearer disclosures from extension developers.
