Urban VPN Proxy Browser Extension Reportedly Harvested and Sold Private AI Chatbot Conversations via Silent Update

Urban VPN Proxy, a Chrome browser extension with over 6 million users and a 'Featured' badge from Google, was discovered to be secretly harvesting AI conversations from users. The extension, developed by Urban Cyber Security Inc., began collecting this data in July 2025 with version 5.5.0, which introduced AI conversation harvesting by default. The system targets ten major AI platforms including ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. The extension injects dedicated 'executor' scripts into these platforms that override browser functions to intercept all API traffic, capturing user prompts, AI responses, timestamps, and session metadata. This data is then transmitted to Urban VPN's servers and shared with affiliated data broker BiScience for commercial purposes. The harvesting operates continuously regardless of whether the VPN is active, and users have no way to disable it without completely uninstalling the extension. Security researchers at Koi discovered that seven additional extensions from the same publisher, affecting over 8 million total users across Chrome and Edge, contain identical harvesting functionality. The company's privacy policy admits to collecting 'AI Inputs and Outputs' and sharing them for 'marketing analytics purposes,' though the Chrome Web Store listing claims data is not sold to third parties.