A hot potato: Several widely installed browser extensions endorsed by both Google and Microsoft secretly captured detailed user interactions with AI chat platforms. According to findings released by cybersecurity firm Koi, the data was transmitted to remote servers for marketing analysis.
Koi's investigation identified eight such extensions available on the Chrome Web Store and Microsoft Edge Add-ons page, collectively surpassing eight million installations. Seven of them carried Featured badges – official endorsements suggesting the software had passed the platforms' quality or safety review standards. Most promised privacy protections through free services like VPN routing or ad blocking, assuring users that personal data remained anonymous and confined to the extensions' stated functions.
Koi's technical analysis revealed that each extension contained a set of eight executor scripts explicitly designed for popular AI chat interfaces, including ChatGPT, Claude, Google Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. When users interacted with any of these platforms, the scripts injected themselves into the webpage, overriding built-in browser functions such as fetch() and HttpRequest.
By replacing those standard processes, the executors intercepted all exchanges between the browser and the AI service. Koi CTO Idan Dardikman told Ars Technica that this design captured data before it appeared on screen, recording a complete conversation in raw form, including prompts, the AI's responses, timestamps, and the transmission of copies to their servers.
Because the executor scripts operated independently of the VPN or ad-blocking functions, disabling those features did not prevent data collection. Koi said the only way to stop the harvesting was to disable or uninstall the extensions entirely.
Koi first detected the interception behavior in Urban VPN Proxy, a Chrome extension that markets AI protection among its security features. According to the firm, version 5.5.0 – released after July 9, 2025 – initiated the data harvesting behavior.
Koi warned that anyone using AI platforms such as ChatGPT, Claude, or Gemini while that version was active should assume "those conversations are now on Urban VPN's servers and have been shared with third parties."
After confirming the vulnerability in Urban VPN Proxy, Koi uncovered seven additional extensions implementing identical data-collection code. Four of those were available through the Chrome Web Store, and four were distributed through Microsoft Edge Add-ons.
Though many of these extensions publicly describe AI protection features, their disclosures about data handling are inconsistent. Urban VPN's product description on the Chrome store claims that its VPN "checks prompts for personal data," warning users about unsafe links before submission.
However, Google's attached privacy statement states that the developer "has declared that user data isn't sold to third parties outside of approved use cases" and won't be used beyond core functionality – defined as location, browsing history, and website content.
Koi noted that users do encounter a consent notice during installation, stating that the software processes "ChatAI communication," "pages you visit," and "security signals" to provide protections such as malware prevention or ad blocking.
Yet the only direct agreement permitting chat-based data collection appears buried deep within Urban VPN's 6,000-word privacy policy. There, the company disclosed that it would "collect the prompts and outputs queried by the End-User or generated by the AI chat provider" and would "disclose the AI prompts for marketing analytics purposes."
All eight extensions trace back to Urban Cyber Security, a developer that advertises its apps and plugins as being used by 100 million people worldwide. Its privacy policy identifies an affiliated partner, BiScience (also listed as B.I Science), which "uses this raw data and creates insights which are commercially used and shared with Business Partners."
BiScience's own policy states that its services "transform enormous volumes of digital signals into clear, actionable market intelligence." The firm's practices have previously been examined publicly for misrepresenting data-collection methods.
Attempts by reporters to contact Urban Cyber Security and BiScience yielded no replies. Calls placed to BiScience's New York office were redirected to a representative in Israel, who advised phoning during that country's business hours. As of Wednesday evening, Google had not responded to questions about its Featured endorsements or whether it intended to remove the extensions. Microsoft later said it had nothing to share.
Image credit: Koi