{"id":6222,"date":"2025-12-16T11:48:59","date_gmt":"2025-12-16T11:48:59","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6222"},"modified":"2025-12-16T11:48:59","modified_gmt":"2025-12-16T11:48:59","slug":"featured-urban-vpn-caught-stealing-private-ai-chats","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6222","title":{"rendered":"\u2018Featured\u2019 Urban VPN caught stealing private AI chats"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Security researchers have found that Urban VPN Proxy, a widely used free browser VPN extension with millions of installs, has been collecting and exporting full AI chat conversations from users\u2019 browsers.<\/p>\n<p>For organizations where employees routinely paste internal context, code snippets, customer details, or investigative notes into AI tools, the behavior represents a direct data-exfiltration channel operating entirely outside traditional enterprise security controls.<\/p>\n<p>The issue is not limited to VPN traffic or encrypted sessions.<\/p>\n<p>According to Koi Security\u2019s findings, urban VPN injects scripts that activate whenever users interact with popular AI platforms, capturing both prompts and responses, even when VPN features are disabled.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Hidden scripts in \u201cprivacy\u201d armor<\/h2>\n<p>Apart from offering a VPN service, <a href=\"https:\/\/chromewebstore.google.com\/detail\/urban-vpn-proxy\/eppiocemhmnlbhjplcgkofciiegomcon\">Urban VPN Proxy<\/a> deployed \u201cexecutor\u201d scripts that activate when a user opens AI chat platforms like ChatGPT, Claude, Gemini, Perplexity, Grok, and others. \u201cEach platform has its own dedicated script-chatgpt.js, claude.js, gemini.js, and so on,\u201d Koi researchers said in a blog <a href=\"https:\/\/www.koi.ai\/blog\/urban-vpn-browser-extension-ai-conversations-data-collection\" target=\"_blank\" rel=\"noopener\">post<\/a>.<\/p>\n<p>These scripts override key browser network APIs to intercept everything a user types and receives, package it, and send it off to Urban VPN\u2019s backend systems. The underlying code continuously monitors AI conversation content and related metadata, and uploads it regardless of VPN use.<\/p>\n<p>The Chrome extension carries high ratings and a \u201cFeatured\u201d badge by Google, giving users an implicit trust signal, the researchers noted. \u201cThe badge from Google means it had passed manual review and met what Google describes as a high standard of user experience and design,\u201d they said.<\/p>\n<p>Google did not immediately respond to CSO\u2019s request for comments.<\/p>\n<p>Both Chrome and Edge variants of the extension remain live on the Chrome Web Store and the Edge Add-ons store, respectively.<\/p>\n<p>Urban\u2019s storefront marketing even highlights an \u201cAI protection\u201d feature that claims to check user prompts for sensitive data. But Koi found that this protective framing runs independently of the surveillance layer, exfiltrating all AI interaction data whether users want it collected or not.<\/p>\n<h2 class=\"wp-block-heading\">Crooks stole chats from 8 million accounts<\/h2>\n<p>Koi researchers revealed that Urban VPN is operated by Urban Cyber Security Inc., which is affiliated with BiScience (B.I Science Ltd), a data broker company.<\/p>\n<p>\u201cThis company has been on researchers\u2019 radar before,\u201d the researchers added. \u201cSecurity researchers Wladimir Palant and John Tuckner at <a href=\"https:\/\/secureannex.com\/blog\/sclpfybn-moneitization-scheme\/\" target=\"_blank\" rel=\"noopener\">Secure Annex<\/a> have previously documented BiScience\u2019s data collection practices.\u201d Their research found that BiScience <a href=\"https:\/\/palant.info\/2025\/01\/13\/biscience-collecting-browsing-history-under-false-pretenses\/\" target=\"_blank\" rel=\"noopener\">collects<\/a> re-identifiable clickstream data at scale and monetizes it via its SDK and products like AdClarity and Clickstream OS.<\/p>\n<p>Hundreds of millions of AI conversations have been captured, pooled across multiple extensions from the same publisher, reaching a combined user base well over eight million.<\/p>\n<p>Koi noted that the AI conversation capability on Urban VPN was introduced through extension updates over time, evolving from earlier browsing telemetry into broader monitoring of generative AI interactions as these tools gained mainstream adoption. The findings echo broader <a href=\"https:\/\/www.csoonline.com\/article\/4102571\/keep-ai-browsers-out-of-your-enterprise-warns-gartner-2.html\">warnings<\/a> that browser-based AI tools and extensions are becoming an unmanaged <a href=\"https:\/\/www.csoonline.com\/article\/4099446\/newly-discovered-malicious-extensions-could-be-lurking-in-enterprise-browsers.html\">risk layer<\/a> for enterprises, and should be treated as part of the attack surface rather than mere convenience features.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Security researchers have found that Urban VPN Proxy, a widely used free browser VPN extension with millions of installs, has been collecting and exporting full AI chat conversations from users\u2019 browsers. For organizations where employees routinely paste internal context, code snippets, customer details, or investigative notes into AI tools, the behavior represents a direct data-exfiltration [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6223,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6222","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6222"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6222"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6222\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6223"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}