Full Report
More than 8 million people have installed extensions that eavesdrop on chatbot interactions Ad blockers and VPNs are supposed to protect your privacy, but four popular browser extensions have been doing just the opposite. According to research from Koi Security, these pernicious plug-ins have been harvesting the text of chatbot conversations from more than 8 million people and sending them back to the developers.…
Analysis Summary
# Tool/Technique: Browser Extensions Harvested AI Chat Data
## Overview
This summary details the activity surrounding four popular browser extensions (Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker) identified by Koi Security for actively harvesting the text content of user interactions with multiple major AI chatbot platforms. The extensions were marketed as privacy tools (VPNs, Ad blockers) but performed unauthorized, default-enabled data exfiltration.
## Technical Details
- Type: Technique (Malicious use of legitimate software infrastructure)
- Platform: Browser (Chrome, Chromium-based browsers like Edge)
- Capabilities: Interception of browser API calls, harvesting of sensitive text data, exfiltration to external endpoints.
- First Seen: Findings reported in December 2025, with data collection potentially active since July 2025 for some users.
## MITRE ATT&CK Mapping
- T1552 - Credentials Access
- T1552.001 - Credentials in Files (Potentially capturing conversation context which might include sensitive details)
- T1059 - Command and Scripting Interpreter
- T1059.005 - Visual Basic (If used in associated developer scripts, though the focus here is JavaScript execution)
- T1056 - Input Capture
- T1056.001 - Keylogging (Indirectly, by capturing submitted text)
- T1560 - Archive Collected Data
- T1560.001 - Archive via Library (Packaging intercepted data within extension framework)
- T1041 - Exfiltration Over C2 Channel
- T1041.004 - Application Layer Protocol (Using standard HTTP/HTTPS POSTs via service workers)
## Functionality
### Core Capabilities
- **Targeted Platform Monitoring:** Monitoring of browser tabs for visits to ten specific AI platforms, including ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI.
- **Default Data Harvesting:** Data collection was enabled by default via a hardcoded configuration flag, with no user-facing toggle to disable it other than uninstalling the extension.
- **API Interception:** Overriding fundamental browser APIs (`fetch()` and `XMLHttpRequest`) to force all network requests and responses on targeted pages through the extension's code.
- **Data Packaging:** Parsing intercepted API responses, packaging the conversational data, and marking it with the identifier `PANELOS_MESSAGE`.
### Advanced Features
- **Content Script Communication:** Using `window.postMessage` to securely pass harvested data from the injected script context to the extension's content script.
- **Background Exfiltration:** Utilizing the extension's **service worker** to handle the final network transmission of the packaged data to C2 endpoints.
- **Privacy Policy Evasion:** Leveraging loopholes in the Chrome Web Store Limited Use Policy, possibly by falsely claiming exceptions (e.g., for security or single-purpose improvement) to justify data transfer to third parties/data brokers like BiScience.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker (Extension names)
- Registry Keys: [Not applicable to browser extensions but persisted configuration]
- Network Indicators:
- `analytics.urban-vpn[.]com`
- `stats.urban-vpn[.]com`
- Behavioral Indicators:
- Injection of custom "executor" scripts into chatbot web pages.
- Overriding of native JavaScript `fetch` and `XMLHttpRequest` functions.
- Communication between page context, content scripts, and the extension service worker using messages tagged with `PANELOS_MESSAGE`.
## Associated Threat Actors
- Developers/Entities associated with **Urban VPN**, **1ClickVPN**, and **BiScience** (mentioned as an affiliated company receiving data).
## Detection Methods
- Signature-based detection: Scanning extension code for the presence of the specific "executor" scripts or network communication to the identified exfiltration domains.
- Behavioral detection: Monitoring content scripts for attempts to override `fetch` or `XMLHttpRequest` when specific domains (AI platforms) are loaded in the foreground tab. Monitoring service worker activity for unexplained outbound REST calls to non-standard analytics domains.
- YARA rules: Could be developed to identify known string patterns or code structures used in the execution scripts.
## Mitigation Strategies
- **Prevention Measures:** Immediate uninstallation of the four explicitly named extensions (Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker).
- **Hardening Recommendations:** Users should treat extensions labeled as "privacy" tools with high suspicion if they require extensive network or host permissions. Reviewing extension permissions carefully, especially posts a silent update that changes functionality (version 5.5.0 mentioned for Urban VPN). Users should specifically scrutinize data collection disclosures tied to Limited Use Policy exceptions.
## Related Tools/Techniques
- Malicious/Deceptive Browser Extensions (General category)
- Data Stealing via JavaScript Injection
- Information harvesting performed under the guise of legitimate tooling (e.g., VPNs or Ad Blockers).