Featured Chrome Extensions Silently Harvested Millions of Users’ AI Chat Data

Featured Chrome Browser Extension Caught Intercepting Millions of Users’ AI Chats

A Google Chrome extension, Urban VPN Proxy, boasting over six million users and a “Featured” badge, was discovered collecting user prompts and responses from popular AI chatbots, including ChatGPT and Gemini. The extension was updated on July 9, 2025, to include this data harvesting functionality via injected JavaScript.

This incident underscores the gap between advertised functionality and actual data collection practices in browser extensions. While users trust “Featured” badges, malicious actors can exploit these platforms to gather sensitive information at scale, potentially impacting millions.

Why This Matters

The ideal model assumes user data is protected by platform policies and extension developer integrity, but this case demonstrates a clear breach of trust. The unauthorized collection and potential sale of AI conversation data – including sensitive personal information – represents a significant privacy risk and could lead to identity theft or targeted advertising, costing users and platforms alike.

Key Insights

• Six million users affected: Urban VPN Proxy alone had over six million installations on Chrome.
• JavaScript injection: The extension intercepted data using tailored JavaScript executors for each AI chatbot.
• BIScience data sharing: Collected data was shared with BIScience, an affiliated ad intelligence firm, for commercial use.

Working Example

(No code provided in context)

Practical Applications

• Use Case: Urban VPN’s developer, BIScience, monetizes user data through targeted advertising insights sold to business partners.
• Pitfall: Relying solely on “Featured” badges for security can lead to the installation of malicious extensions that compromise user privacy.

References:

• https://thehackernews.com/2025/12/featured-chrome-browser-extension.html