A Google Chrome extension with a “Featured” badge and 6 million customers has been noticed silently gathering each immediate entered by customers into synthetic intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity.
The extension in query is City VPN Proxy, which has a 4.7 score on the Google Chrome Internet Retailer. It is marketed because the “finest secured Free VPN entry to any web site, and unblock content material.” Its developer is a Delaware-based firm named City Cyber Safety Inc. On the Microsoft Edge Add-ons market, it has 1.3 million installations.
Regardless of claiming that it permits customers to “shield your on-line identification, keep protected, and conceal your IP,” the extension was up to date on July 9, 2025, when model 5.5.0 was launched with the AI information harvesting enabled by default utilizing hard-coded settings.
Particularly, that is achieved by way of a tailor-made executor JavaScript that is triggered for every of the AI chatbots (i.e., chatgpt.js, claude.js, gemini.js) to intercept and collect the conversations each time a consumer who has put in the extension visits any of the focused platforms.
As soon as the script is injected, it overrides the browser APIs used to deal with community requests – fetch() and XMLHttpRequest() – to ensure that each request is first routed by way of the extension’s code in order to seize the dialog information, together with customers’ prompts and the chatbot’s responses, and exfiltrate them to 2 distant servers (“analytics.urban-vpn[.]com” and “stats.urban-vpn[.]com”).
The precise checklist of information captured by the extension is as follows –
- Prompts entered by the consumer
- Chatbot responses
- Dialog identifiers and timestamps
- Session metadata
- AI platform and mannequin used
“Chrome and Edge extensions auto-update by default,” Koi Safety’s Idan Dardikman mentioned in a report revealed at this time. “Customers who put in City VPN for its acknowledged goal – VPN performance – wakened at some point with new code silently harvesting their AI conversations.”
It is price mentioning that City VPN’s up to date privateness coverage, as of June 25, 2025, mentions that it collects this information to boost Protected Looking and for advertising and marketing analytics functions, and that every other secondary use of the gathered AI prompts will probably be carried out on de-identified and anonymized information –
As a part of the Looking Information, we’ll gather the prompts and outputs quired [sic] by the Finish-Consumer or generated by the AI chat supplier, as relevant. Which means, we’re solely within the AI immediate and the outcomes of your interplay with the chat AI.
As a result of nature of the info concerned in AI prompts, some delicate private data could also be processed. Nonetheless, the aim of this processing is to not gather private or identifiable information, we can’t totally assure the elimination of all delicate or private data, we implement measures to filter out or eradicate any identifiers or private information you could submit by way of the prompts and to de-identify and mixture the info.
One of many third-parties it shares “Internet Looking Information” with is an affiliated advert intelligence and model monitoring agency named BIScience. The corporate makes use of the uncooked (not anonymized) information to create insights which might be “commercially used and shared with Enterprise Companions,” the VPN software program maker notes.
It is price noting BiScience, which additionally occurs to personal City Cyber Safety Inc., was known as out by an nameless researcher earlier this January for accumulating customers’ looking historical past, or clickstream information, because it’s known as, below deceptive privateness coverage disclosures.
The corporate is alleged to supply a software program improvement package (SDK) to accomplice third-party extension builders to gather clickstream information from customers, which is transmitted to the sclpfybn[.]com and different endpoints below its management.
“BIScience and companions make the most of loopholes within the Chrome Internet Retailer insurance policies, primarily exceptions listed within the Restricted Use coverage, that are the ‘permitted use circumstances,'” the researcher famous, including they “develop user-facing options that allegedly require entry to looking historical past, to assert the ‘essential to offering or bettering your single goal’ exception.”
On the extension itemizing web page, City VPN additionally highlights an “AI safety” function, which it says checks prompts for private information, chatbot responses for suspicious or unsafe hyperlinks, and shows a warning earlier than customers submit their prompts or click on on them.
Whereas this monitoring is framed as stopping customers from unintentionally sharing any private data, what the builders fail to say is that the info assortment occurs no matter whether or not the function is enabled.
“The safety function reveals occasional warnings about sharing delicate information with AI corporations,” Dardikman mentioned. “The harvesting function sends that actual delicate information – and all the pieces else – to City VPN’s personal servers, the place it is bought to advertisers. The extension warns you about sharing your e-mail with ChatGPT whereas concurrently exfiltrating your complete dialog to a knowledge dealer.”
Koi Safety mentioned it noticed an identical AI harvesting performance in three different distinctive extensions from the identical writer throughout Chrome and Microsoft Edge, taking its complete set up base to over eight million –
- 1ClickVPN Proxy
- City Browser Guard
- City Advert Blocker
All these extensions, except for City Advert Blocker for Edge, carry the “Featured” badge, giving customers an impression that they observe the platform’s “finest practices and meet a excessive normal of consumer expertise and design.”
“These badges sign to customers that the extensions have been reviewed and meet platform high quality requirements,” Dardikman identified. “For a lot of customers, a Featured badge is the distinction between putting in an extension and passing it by – it is an implicit endorsement from Google and Microsoft.”
The findings as soon as once more display how belief related to extension marketplaces will be abused to amass delicate information at scale, particularly at a time when customers are more and more sharing deeply private data, getting recommendation, and discussing feelings with AI chatbots.
The Hacker Information has reached out to each Google and Microsoft for remark, and we’ll replace the story if we hear again.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s traits at this time: learn extra, subscribe to our publication, and turn into a part of the NextTech neighborhood at NextTech-news.com
