Urban VPN Proxy Spies on AI Chatbot Conversations

A browser extension promising a free clientless VPN for Chrome users has been harvesting conversations from artificial intelligence chatbot platforms and selling the data to third-party brokers.

See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense

Urban VPN Proxy, which carries a 4.7-star rating and a “Featured” badge on the Chrome Web Store, has collected conversation data from eight major AI platforms since July, affecting approximately 8 million users across multiple extensions, Koi Security said. The app harvested every prompt users sent and response they received from ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok and Meta AI.

The data collection operates independently of the VPN functionality itself. Whether users turn on the VPN or disconnect it, the harvesting runs continuously in the background with no user-facing option to disable it. Users who want to stop the collection must uninstall the extension entirely, said Idan Dardikman, co-founder and CTO of Koi Security.

Seven additional extensions including 1ClickVPN Proxy, Urban Browser Guard and Urban Ad Blocker from the same publisher for Chrome and Edge browsers also surveil users. Most carry a “Featured” badge from their respective app stores, signaling that the extensions have undergone manual review and met what Google describes as high standards for user experience and design.

Free VPN services have long come freighted with a side of surveillance. Google in November warned users to be wary of free VPNs, warning that they can steal sensitive data such as private messages and account credentials. Facebook famously faced intense backlash – and a Australian $20 million fine in 2023 – for harvesting data about teen users from its Onavo VPN subsidiary.

The Urban VPN harvesting functionality appeared in version 5.5.0, released on July 9 – prior versions did not contain AI conversation capture capabilities. Chrome and Edge extensions auto-update by default, meaning users who installed the extension for VPN functionality received the surveillance code without notification or consent. Anyone who used the targeted AI platforms while running Urban VPN after that date should assume their conversations have been captured and shared with third parties, Koi Security said.

The extension monitors browser tabs and injects dedicated executor scripts into pages when users visit selected AI platforms. Each platform has its own script, such as chatgpt.js or claude.js. Once injected, these scripts override fetch and XMLHttpRequest, the fundamental browser APIs that handle network requests, allowing the extension to intercept all network traffic on the page before the browser renders it.

When an AI chatbot sends a response or a user submits a prompt, the extension captures the raw API traffic. The injected script parses intercepted API responses to extract conversation data, including every prompt sent to the AI, every response received, conversation identifiers, timestamps, session metadata, and the specific AI platform and model used. The script packages this data and sends it via window.postMessage to the extension’s content script, tagged with the identifier PANELOS_MESSAGE. The content script forwards the data to a background service worker, which compresses and transmits it to Urban VPN servers.

Urban VPN Proxy is operated by Urban Cyber Security Inc., which maintains affiliation with data broker company BiScience. Security researchers including Wladimir Palant and John Tuckner at Secure Annex have previously documented BiScience’s data collection practices. Their research established that BiScience collects clickstream data and browsing history from millions of users, ties data to persistent device identifiers enabling re-identification, provides an SDK to third-party extension developers to collect and sell user data, and sells aggregated data through products including AdClarity and Clickstream OS.

The Koi Security findings point to an expansion of BiScience’s data collection operations from browsing history into complete AI conversations. Urban VPN’s privacy policy acknowledges the data flow, saying that the company shares web browsing data with its affiliated company BiScience, which uses the raw data to create insights that are commercially used and shared with business partners.

The now-deactivated Chrome Web Store listing for Urban VPN Proxy promotes AI protection as a feature, describing advanced VPN protection that helps shield browsing experiences from phishing attempts, malware and intrusive ads. The listing claims AI protection check prompts for personal data such as email addresses or phone numbers examines AI chat responses for suspicious or unsafe links and displays warnings before users click or submit prompts. The store listing also states that data is not being sold to third parties outside approved use cases.

Dardikman reportedly said that Koi did not contact Google or Microsoft about the extension’s behavior because it exists in a gray area that is arguably within their stated policies, even if it violates user expectations. The fact that the surveillance is technically disclosed in a privacy policy doesn’t change the user experience, Dardikman said. Users install a VPN for privacy protection, see AI protection warnings telling them to be careful what they share with AI companies, and meanwhile every word they type is being shipped to a data broker.

People tell AI chatbots secrets they don’t share with search engines, Dardikman said. Users have asked chatbots about medical concerns, financial details and confessed to having relationship issues.