What would you do if the digital shield you installed to hide your browsing suddenly began reading and recording the private questions you ask an AI — and did so by design? Security researchers say that is exactly what happened: a popular VPN browser extension has been found to intercept conversations across multiple conversational AI platforms, quietly harvesting user interactions even when its VPN service is not in use.
The revelation, disclosed by independent researchers and reported across security outlets, describes a browser extension whose code contains platform-specific “executor” scripts aimed at ten major AI services — including ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI) and Meta AI. Those executor scripts are reportedly hardcoded into the extension’s configuration with flags that enable harvesting by default. Crucially, there is no in‑product toggle to disable the behavior: the only way to stop the data collection is to uninstall the extension entirely. Researchers further report that the data‑collection runs continuously in the background and is independent of whether the VPN is connected, meaning the privacy promise of the VPN functionality is effectively severed from the extension’s telemetry and exfiltration behavior .
To understand why this is alarming, consider how browser extensions operate. Many useful extensions request broad permissions — read and change site data, intercept requests, and run persistent background processes — to deliver features. Those same permissions, when combined with push updates or malicious code, can turn a trusted tool into a data‑collection engine. In this case researchers observed code changes and persistent background scripts that enable continuous capture of chat content and related metadata, then forward those data to remote endpoints. The result is a tool that can both route traffic (the VPN promise) and siphon sensitive conversational data (the spyware reality) .
What happened appears to be part of a larger pattern the security community has warned about for years: extensions with network‑level access and broad scopes are attractive vectors for surveillance and exfiltration. The mechanics are straightforward — new event listeners, remote code loaders and background executors give an extension the ability to read page content and intercept requests — but the impact is anything but trivial. Harvested AI chats can include medical questions, financial information, legal queries and other intimate details that users reasonably expect to remain private. Those transcripts are valuable: they can be used for targeted fraud, sold to data brokers, or leveraged for more invasive surveillance depending on who controls the receiving infrastructure .
Why this matters now: conversational AI is woven into growing numbers of personal and professional workflows. People consult assistants about health, finances, legal concerns and workplace tasks. When those conversations are exposed, the harms multiply — privacy erosion, identity theft, reputational damage and chilling effects on free inquiry. Moreover, because many AI platforms log interactions for improvement and safety purposes, adding a third‑party capture mechanism outside the platforms’ control compounds risk and complicates accountability. Even when platforms and VPN vendors dispute findings or claim remediation, the core governance question remains: who gets to collect and control the intimate records of human‑machine conversations? .
Different actors see different problems and solutions:
- Technologists and security researchers urge rapid code audits, transparent disclosures, and stronger store policies. They point out that marketplaces should require provenance checks for extensions that request powerful permissions, and that extension updates which change behavior should trigger explicit user consent or independent review. Behavioral scanning and static analysis can detect many problems but are not foolproof; sophisticated exfiltration can be hidden under legitimate proxy traffic patterns .
- Policymakers and regulators face a governance gap. Existing consumer‑protection and data‑privacy frameworks can be invoked (for example, rules around deceptive practices and unlawful data processing), but cross‑border distribution of extensions and varied legal standards complicate enforcement. Some experts call for mandatory audits or higher assurance requirements for extensions whose scopes allow them to read and transmit content from other websites or apps .
- Users must make hard choices: uninstalling an extension may restore privacy but remove convenience. The incident underscores a broader digital hygiene need — regularly auditing installed extensions, reviewing permissions, relying on well‑maintained and audited tools, and preferring native or vendor‑provided VPN solutions with clear transparency practices .
- Potential adversaries — criminals and state actors — may find harvested AI chat logs a rich target. Transcripts can reveal vulnerabilities for social engineering, show private intentions, or provide material for surveillance campaigns. That makes the data both lucrative and dangerous if it changes hands or is exploited in targeted attacks .
There are practical mitigations. At a minimum: uninstall extensions that request broad access you do not need; keep browsers and extensions updated; use purpose‑limited tools for sensitive tasks; and favor vendors that publish independent audit reports. Browser vendors can help by tightening review processes, restricting background persistence for nonessential extensions, and making permission‑changes highly visible to users. Regulators can clarify obligations for data collectors and require notification when an installed extension begins transmitting user‑generated content to third parties .
Some will wince at the notion that a privacy tool can be turned into a surveillance tool overnight. Others will point out that this is an expected risk in an ecosystem built on convenience, opaque updates and centralized marketplaces. Neither reaction dismisses the other: the incident is both a technical failure and a governance failure.
As we weigh fixes — better technical controls, sharper marketplace rules, and clearer legal accountability — the user remains the axis around which practical safety revolves. Tools must be designed so users can understand, control and, when necessary, stop how their data flows. When those controls are absent or hidden, trust evaporates.
If a single extension can quietly intercept conversations across leading AI platforms, what does that say about the broader architecture of privacy on the web — and how long will we trust the tools we install to protect us?
Source: https://www.schneier.com/blog/archives/2025/12/urban-vpn-proxy-surreptitiously-intercepts-ai-chats.html




