A browser extension that promised privacy has been caught doing the exact opposite. Security researchers have uncovered that Urban VPN Proxy, a "Featured" extension on the Chrome Web Store, has been systematically intercepting and exfiltrating user conversations from major AI platforms—affecting more than 7.3 million users across Chrome and Edge browsers.

What Happened

Urban VPN Proxy, marketed as a free VPN solution for privacy-conscious users, has been secretly harvesting AI chat conversations since version 5.5.0 was released on July 9, 2025. The malicious update transformed a seemingly legitimate privacy tool into a sophisticated data exfiltration operation.

According to UltraViolet Cyber's threat advisory, the extension targets 10 major AI platforms including ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. The scope is staggering: over 6 million Chrome users and 1.3 million Edge users have installed the extension, making this one of the largest browser-based data harvesting incidents targeting AI communications.

Technical Details

The attack methodology is particularly insidious. As detailed by CSO Online, the extension injects malicious JavaScript—referred to as "executor scripts"—directly into the DOM of AI chat websites. These scripts hook into the browser's networking functions (XHR and fetch APIs) to intercept communications before they're rendered on screen.

The harvested data includes:

  • User prompts – Every question and instruction sent to AI assistants
  • Model responses – Complete AI-generated outputs
  • Session metadata – Timestamps, session IDs, and service identifiers

Perhaps most concerning: according to security expert Bruce Schneier, the data harvesting functionality is hardcoded to "enabled" with zero user-facing toggles to disable it. The collection occurs even when the VPN features are turned off—the only way to stop it is complete uninstallation.

Once captured, the data is compressed and transmitted to servers controlled by Urban VPN's operator. Malwarebytes researchers identified that Urban VPN is operated by Urban Cyber Security Inc., affiliated with BiScience (B.I Science (2009) Ltd)—a known data broker that collects browsing histories and device identifiers at scale.

Impact Assessment

The implications of this breach extend far beyond individual privacy violations. The captured conversations likely contain:

  • Proprietary source code shared with AI coding assistants like GitHub Copilot
  • Confidential business information including strategy documents and internal communications
  • Personal identifiable information (PII) from users seeking AI assistance with personal matters
  • Trade secrets and intellectual property discussed in corporate AI workflows
  • Medical and financial information from sensitive personal queries

For enterprises, this represents a severe supply chain security failure. Because Chrome and Edge extensions auto-update by default, users who originally installed a benign version were silently migrated to the spying version without any notification or consent mechanism.

The "Featured" badge on the Chrome Web Store—meant to signal trustworthiness—actually amplified the damage by encouraging more installations. This highlights a fundamental gap in browser extension vetting processes.

What You Should Do

Immediate Actions

  1. Uninstall immediately: Remove Urban VPN Proxy and any related extensions (Urban Ad Blocker, Urban Browser Guard, 1ClickVPN) from all browsers
  2. Audit your extensions: Review all installed browser extensions and remove any that aren't absolutely necessary
  3. Rotate compromised credentials: Any API keys, passwords, or tokens shared in AI conversations during the affected period should be considered compromised and rotated
  4. Review sensitive code: If you used AI coding assistants with the extension installed, audit any proprietary code that may have been exposed

For Organizations

  • Implement browser extension allowlists to restrict installations to approved tools only
  • Deploy endpoint monitoring to detect unauthorized extension behavior
  • Update security awareness training to cover AI tools and browser extensions as combined data-loss vectors
  • Consider browser isolation solutions for sensitive AI interactions

Lessons Learned

This incident crystallizes several uncomfortable truths about browser security:

Trust indicators are inadequate. The "Featured" badge and millions of downloads created a false sense of security. Store curation processes clearly failed to detect the malicious behavior introduced in version 5.5.0.

Free VPNs remain high-risk. The economics of "free" services often depend on monetizing user data. When a VPN provider is affiliated with a data broker, the business model becomes self-evident in hindsight.

AI conversations are high-value targets. As AI assistants become integrated into professional workflows, they become repositories of sensitive information that attackers are increasingly motivated to harvest.

Browser extensions are a blind spot. Many organizations focus security controls on network perimeters and endpoints while overlooking the significant privileges granted to browser extensions. These tools operate inside the trust boundary, with direct access to page content and network requests.

The browser-in-the-middle attack vector demonstrated here should prompt security teams to reassess their extension policies and monitoring capabilities—particularly for systems accessing AI services with sensitive data.

Resources