Browser Extensions Stealing AI Chats: Stop It Fast

Six million installs. A “Featured” badge. A 4.7-star rating. And an update that—quietly—started collecting prompts and responses from popular AI chat tools.

That’s not just a consumer privacy story. It’s an enterprise data-loss story hiding in plain sight inside the browser. If your teams use ChatGPT, Claude, Copilot, Gemini, Grok, Perplexity, or similar assistants for code, customer emails, incident write-ups, or strategy docs, then AI chat interception via browser extensions is a direct path to leaking sensitive data.

I’ve found that most organizations still treat the browser as “just a client.” The reality is it’s a highly privileged runtime with access to the exact information employees type when they think nobody’s watching—including AI conversations that often contain the best “summary” of a company’s internal operations.

What happened: a “Featured” extension intercepting AI chats

A practical reading of this incident is simple: a browser extension can see what users type into AI chat interfaces and can siphon it out to external servers.

The reported case involved a widely installed VPN/proxy extension that pushed an update in mid-2025. That update enabled AI data collection by default and targeted multiple AI platforms. Once installed, the extension injected site-specific scripts when a user visited AI chatbot pages.

How the interception worked (in plain terms)

The reported technique is effective because it goes after the plumbing.

Instead of trying to “screen scrape” the page, the injected code can override key web request APIs—fetch() and XMLHttpRequest()—so that every request to the AI service is routed through extension-controlled logic first. That makes it straightforward to capture:

• User prompts
• Chatbot responses
• Conversation IDs and timestamps
• Session metadata
• AI platform/model identifiers

If you’re thinking “But our AI tool uses HTTPS,” that’s the point: HTTPS protects data in transit between the browser and the service. It does not stop a local component—like an extension—from reading the data before it’s encrypted or after it’s decrypted.

Why “Featured” badges and star ratings didn’t help

Marketplace trust signals are easy to overvalue:

• “Featured” implies review quality, but it doesn’t mean ongoing behavioral monitoring.
• Ratings reflect user experience, not data handling.
• Auto-updates mean yesterday’s benign extension can become tomorrow’s collector without a new install event.

For security teams, this is the hard lesson: extension marketplaces are distribution channels, not security controls.

Why AI chat data is uniquely valuable (and uniquely risky)

AI chats aren’t like normal browsing history. They’re closer to a running transcript of how work gets done.

Here’s what regularly shows up in enterprise AI conversations:

• Internal system names, endpoints, and architecture diagrams (described in text)
• API keys pasted “just for a second”
• Customer details used to draft responses
• Incident timelines, detection logic, and remediation steps
• Source code and proprietary logic
• M&A research, pricing drafts, contract clause rewrites

Put differently: AI chat logs are a curated bundle of sensitive context. Attackers don’t need to break into ten systems if they can siphon the conversation where an employee summarizes all ten.

The uncomfortable truth about “AI protection” features

Some extensions market “AI protection” features—warnings about pasting personal data or clicking suspicious links. That sounds helpful, but it can also create a false sense of safety.

If an extension can “protect” prompts, it can also read them. The security question isn’t whether the UI shows a warning. It’s where the data goes, who can access it, and whether collection is actually optional.

The enterprise blind spot: shadow AI in the browser

Security programs have spent years building controls around endpoints, email, and cloud apps. Meanwhile, the browser has become the universal interface for:

• SaaS applications
• Developer tooling
• Internal admin consoles
• AI assistants

That’s why browser extension risk is now inseparable from AI security.

Why traditional controls miss extension-based AI interception

Most organizations rely on a mix of:

• EDR on endpoints
• CASB/SSE policies for sanctioned apps
• DLP for email and storage

Those help, but they often struggle with this exact scenario:

1. The user is on an approved AI website.
2. Traffic goes to the legitimate AI domain.
3. The extension captures content locally.
4. The extension exfiltrates to analytics-looking endpoints.

From the network’s perspective, it can look like ordinary web traffic. From the endpoint’s perspective, it can look like a normal browser process making requests.

This is where the “AI in Cybersecurity” series theme becomes real: attackers are using automation and scale against us, so detection also needs automation and scale.

How AI-powered security helps catch this class of threat

A direct stance: manual reviews and one-time audits won’t keep up with extension ecosystems and auto-updates. You need continuous monitoring.

AI-driven detection is useful here for one reason: it can connect weak signals into a strong conclusion.

What to detect (signals that matter)

For AI chat interception and similar browser-based collection, high-value signals include:

• Extension behavior changes after an update (new permissions, new domains, new content scripts)
• Script injection patterns on high-risk pages (AI chat, webmail, CRM)
• Network request anomalies such as:
  • new outbound destinations
  • beacon-like periodic calls
  • payload patterns consistent with conversation logs
• API hooking/override behavior (unexpected wrapping of fetch()/XMLHttpRequest() in page context)
• Cross-extension publisher relationships (same publisher shipping multiple “utility” extensions with similar telemetry)

A human can investigate these, but AI helps prioritize what matters today instead of two months later.

Where AI fits in security operations (practical examples)

Here are realistic ways AI supports prevention and faster response:

1. Extension risk scoring at scale

   • Combine permissions, update cadence, publisher reputation, and observed runtime behavior into a score.

2. Anomaly detection across web telemetry

   • Flag when AI chat pages suddenly trigger new third-party calls across a population of users.

3. Automated triage and containment playbooks

   • When risk crosses a threshold: disable the extension, revoke sessions, force re-auth, and open a ticket with evidence attached.

4. Policy generation and continuous enforcement

   • Recommend allowlists/denylists, then enforce them via managed browser or endpoint controls.

This is the core bridge: AI isn’t just the target. It’s the tool that helps you spot AI-related breaches early—especially when the breach rides through trusted UX signals like “Featured.”

What to do now: a practical checklist for security teams

The fastest wins come from reducing the attack surface and adding visibility where it’s missing.

1) Lock down extensions (yes, even for executives)

If your organization doesn’t have a managed extension policy, start there.

• Allowlist approved extensions only
• Block “VPN/proxy/unblocker” categories by default
• Require business justification for any extension that can read and change site data
• Review extensions after major updates, not just at install time

Snippet-worthy rule: If an extension can read page content, treat it like a data-handling vendor.

2) Treat AI chat as sensitive data by default

Many teams still classify AI prompts as “low risk.” That’s a mistake.

• Update your data classification guidance: AI prompts can contain confidential data
• Add a policy: don’t paste secrets, tokens, or customer identifiers
• Provide an approved enterprise AI workflow (with logging, controls, and retention policies)

3) Add browser-layer monitoring where it counts

If you can’t see extension activity, you’re guessing.

Look for controls that can:

• Inventory installed extensions continuously
• Detect injected scripts on sensitive pages
• Alert on new outbound endpoints and suspicious payload types

4) Build an “AI chat DLP” approach that’s realistic

Classic DLP patterns don’t always map cleanly to conversational text. Focus on what’s most damaging first:

• Credentials and API keys
• Customer PII snippets
• Internal URLs, admin paths, and system names
• Source code blocks and config files

5) Incident response: assume the chat transcript is compromised

If you discover AI chat interception, treat it like a targeted data exposure event.

• Identify impacted users and time window (tie to extension update date)
• Collect browser/extension artifacts and outbound destinations
• Rotate credentials that might have been pasted
• Review AI conversations used for coding or admin troubleshooting
• Notify legal/compliance early if regulated data could be included

People also ask: “Can a browser extension read my ChatGPT or Copilot chats?”

Yes. If an extension has permission to read and change data on the sites you visit, it can access what you type into AI chat pages and what the page returns. HTTPS doesn’t prevent local access.

People also ask: “Is removing the extension enough?”

Removing is step one, not the finish line. Assume exfiltration already happened. Your follow-up actions should include credential rotation, reviewing what was shared in AI chats, and tightening extension policy so it doesn’t recur.

Where this fits in the “AI in Cybersecurity” series

This incident is a clean example of the next phase of AI security: protecting the AI interaction layer. The model can be secure, your SSO can be strong, and your vendor can have solid controls—then a browser extension quietly siphons the conversation anyway.

If you want fewer surprises in 2026, don’t treat AI chat security as a niche problem. Treat it as mainstream data security that happens to be delivered through a chat box.

Most companies get this wrong the first time. The teams that respond well do three things: restrict extensions, monitor the browser, and use AI-driven detection to spot behavior shifts fast.

What’s your organization’s plan for the next “Featured” extension that updates overnight?