Browser Extensions Stealing AI Chats: Stop It Fast

Six million installs is supposed to signal safety. “Featured” badges are supposed to signal trust. Yet a recent case showed a widely installed, marketplace-featured browser extension silently collecting users’ AI chatbot conversations—including prompts and responses—and sending them to remote analytics endpoints.

This matters far beyond personal privacy. AI chats now contain the stuff security teams used to beg users not to paste into random tools: internal project details, credentials copied “just for a second,” customer data, incident notes, source code snippets, and legal drafts. When a browser extension intercepts those conversations, it doesn’t just create a privacy problem—it creates a data exfiltration channel that sits inside the one app everyone uses all day: the browser.

I’m using this incident as a case study in our AI in Cybersecurity series for one reason: it’s a clean example of where AI-driven threat detection and secure data handling controls can catch the problem faster than manual reviews and policy PDFs.

What happened—and why “Featured” didn’t protect anyone

A popular Chrome extension (Urban VPN Proxy) with a “Featured” badge and a reported ~6 million users was observed intercepting AI chatbot conversations across multiple platforms (including major consumer and enterprise-used chat tools). Researchers reported that an update released in July 2025 (version 5.5.0) enabled AI chat data collection by default.

The mechanism is the part security teams should focus on: the extension injected site-specific JavaScript into targeted AI chat pages and hooked network request APIs—notably fetch() and XMLHttpRequest()—so that chat traffic could be captured before being sent on to the AI service. The collected data reportedly included:

• User prompts
• Chatbot responses
• Conversation identifiers and timestamps
• Session metadata
• AI platform/model identifiers

In plain terms: if your users typed it into an AI chat window in the browser, the extension could see it. And if the bot answered it, the extension could see that too.

The trust trap: marketplace signals ≠ security validation

A “Featured” badge is a UX trust accelerator. It’s not a security guarantee.

Extension marketplaces optimize for adoption: good ratings, smooth onboarding, stable updates, and “helpful” features. Security review processes exist, but the extension model is inherently high-risk because:

1. Extensions can auto-update (often without meaningful user friction).
2. Permissions are broad (especially for tools that claim they need access “on all sites”).
3. The browser is the data plane for modern work: SaaS, email, identity flows, and now AI assistants.

If you’re defending an enterprise, assume that any consumer-installed browser extension is a potential covert data collector—especially when it’s free.

Why AI chats are a high-value target (and why attackers know it)

AI chat is becoming the new “scratchpad” for work. People use it to:

• Draft emails to customers and partners
• Summarize internal documents
• Troubleshoot code and paste logs
• Ask about HR, legal, or finance scenarios
• Prepare incident response narratives

That behavior creates a predictable security outcome: AI chats concentrate sensitive context. Even when a user avoids explicit secrets, prompts often contain enough breadcrumbs to reconstruct what matters—names, systems, timelines, vendors, and internal jargon.

Here’s the uncomfortable stance I’ll take: “Don’t paste sensitive data into AI” is not a strategy. It’s a poster.

A real strategy assumes users will use AI tools and then builds controls around:

• Where the data flows
• Who can install intercepting software
• How quickly you can detect exfiltration
• What you can do automatically when it happens

This is exactly where AI in cybersecurity earns its keep.

How AI-driven security could catch this faster

Signature-based controls struggle with extension abuse because the behavior can look “normal” at a network level: analytics calls, telemetry endpoints, JSON posts. What works better is behavioral detection—and this is a sweet spot for machine learning in security operations.

1) Detect “AI chat exfiltration” as a behavioral pattern

This incident has a very specific shape:

• User visits known AI chat domains
• Browser sends chat traffic to the AI provider
• Extension injects scripts and mirrors or forwards payloads
• Additional outbound requests appear to non-essential analytics domains
• Payloads correlate tightly with chat timing and size

AI-based anomaly detection can model this correlation:

• Temporal correlation: outbound posts spike within milliseconds/seconds of chat submit events
• Destination novelty: endpoints that are unusual for the organization or for that app category
• Content fingerprints: consistent JSON structures that resemble chat messages, conversation IDs, or prompt/response patterns

A practical control many teams overlook: treat AI chat services as high-sensitivity web apps, similar to webmail or CRM. Then apply stricter behavioral baselines.

2) Use LLM-assisted SOC triage to reduce time-to-truth

Even when telemetry exists, analysts burn time answering: “Is this expected?”

An LLM-assisted SOC workflow can speed up:

• Summarizing what changed (extension update timeline, new domains contacted)
• Mapping observed requests to extension IDs and installed base
• Producing a human-readable narrative: “Extension X is intercepting requests on domains A, B, C and posting chat-like payloads to domains Y, Z.”

This isn’t about replacing analysts. It’s about compressing the window between first signal and containment action.

3) Protect the browser like an endpoint, not a “thin client”

Most companies still treat the browser as “just where SaaS runs.” Meanwhile, attackers treat it as the best place to steal data.

AI-driven endpoint security and browser security can flag:

• Suspicious extension behavior (script injection, API hooking)
• Unexpected permission use patterns
• Newly introduced network destinations after extension updates

The stance I recommend: your browser extension posture deserves the same rigor as endpoint software inventory.

Practical defense: what to do Monday morning

If you’re trying to turn this into action (not a scary story), here’s a concrete plan you can run without boiling the ocean.

1) Build an “AI chat” data classification rule set

Start by defining which web apps are considered AI chat endpoints in your environment. Then classify them as sensitive interaction surfaces.

Actions to attach to that classification:

• Stronger browser controls (extension restrictions, isolation where needed)
• Enhanced logging (domain + request metadata + destination reputation)
• DLP rules tuned for prompt-like payloads (not just file uploads)

2) Implement extension allowlisting (yes, even if it annoys people)

If your org allows “any extension,” you’ve already accepted this risk.

Minimum viable policy:

• Allowlist approved extensions
• Block “unknown publisher” and high-risk categories (free VPNs, coupon finders, “shopping helpers”)
• Require justification for extensions requesting broad permissions
• Review changes when an extension updates permissions or behavior

The key improvement: treat extension updates as a change-management event, not background noise.

3) Add detections for API hooking and script injection

Even if you can’t inspect extension code at scale, you can monitor outcomes:

• Unusual DOM/script injections on specific sensitive domains
• Unexpected calls to fetch()/XMLHttpRequest() wrappers (via browser telemetry tools where available)
• New outbound destinations that appear only during AI chat sessions

This is where AI-driven anomaly analysis helps because you’re often looking for combinations of weak signals.

4) Watch for “dual-use” marketing analytics endpoints

A recurring enterprise lesson: data theft often masquerades as analytics.

Create a detection bucket for:

• New analytics or stats subdomains that appear post-update
• Endpoints contacted primarily from browsers (not mobile apps, not servers)
• High-frequency, small JSON posts tied to user interaction events

Then apply strict scrutiny when those endpoints light up around AI chat usage.

5) Reduce the blast radius with safer AI access patterns

If employees rely on public chat UIs, you’re stuck defending a chaotic surface area.

Safer patterns:

• Provide an enterprise AI gateway or sanctioned AI assistant
• Route through managed identity and conditional access
• Centralize logging and policy enforcement
• Apply prompt/response redaction for known sensitive data types

You still need browser controls. But you stop depending on every user to make perfect decisions.

People also ask: “If the extension says it anonymizes data, is it safe?”

No. Anonymization claims don’t eliminate the underlying risk for three reasons:

1. Prompts often contain direct identifiers (names, emails, account numbers, internal URLs). You can’t reliably scrub what you can’t consistently detect.
2. Re-identification is realistic when you combine timestamps, session metadata, and conversation context.
3. The security failure happens before anonymization—the data is still collected and transmitted to third-party infrastructure.

If your enterprise data leaves the browser to an untrusted endpoint, you’ve already lost control.

Where this fits in the AI in Cybersecurity series

This case is a reminder that “AI security” isn’t only about model risks like prompt injection or data poisoning. It’s also about protecting the workflows where AI is used, and the browser is the primary workflow surface.

AI can help on the defender side by:

• Detecting abnormal data flows in real time
• Prioritizing alerts that match exfiltration patterns
• Automating containment steps (disable extension, revoke sessions, block domains)

The hard truth: attackers don’t need to break your AI model if they can just siphon the conversations.

Next steps: a simple way to test your exposure

If you want a fast internal check:

1. Inventory installed extensions across corporate browsers.
2. Identify extensions with broad permissions (all sites, read/modify data).
3. Monitor outbound traffic during AI chat sessions for new or unusual analytics endpoints.
4. Run a tabletop exercise: “A popular extension update starts exfiltrating AI prompts—what do we do in the first 30 minutes?”

If you can’t answer that last one crisply, that’s your roadmap.

The question worth sitting with as we head into 2026: when your users talk to AI all day, are you protecting the conversation like sensitive data—or treating it like harmless text?