Hidden Data Harvest: Extensions Intercept AI Chats and Credentials

  • Thread Author

A chain of recent disclosures shows that seemingly helpful browser extensions — including a long‑running Chrome add‑on and several “privacy” VPN tools with millions of installs — quietly gained the ability to intercept, record and transmit users’ AI-chat conversations and web traffic, turning convenience into a high‑value data pipeline that can leak passwords, health and financial information, intellectual property and corporate secrets.

Background​

Browser extensions are small programs that run inside your browser and, to perform many legitimate functions, often require broad permissions: reading page content, modifying DOM elements, or intercepting requests. That same power is what attackers and unscrupulous publishers now exploit: rather than infecting machines with malware that sneaks in, a developer can publish a popular extension, accumulate installs and trust, then push an update that changes runtime behavior — often delivered automatically — and suddenly the extension becomes an active surveillance agent.
Security research published this month documents two related but distinct abuses. The first family of incidents centers on a set of Chromium extensions (most notably Urban VPN Proxy and siblings) that were updated in July 2025 to inject per‑site “executor” scripts into AI chat pages; those scripts hook page-level networking APIs (for example, fetch and XMLHttpRequest), capture prompts and responses, and forward the content to analytics backends. Koi Security’s technical disclosure, and the rapid corroboration from multiple outlets, show the update was enabled by default and propagated via auto‑update to millions of users. The second disclosure comes from Socket’s Threat Research Team, which found two Chrome extensions called Phantom Shuttle that posed as VPN/ proxy testing tools but embedded code to route selected high‑value traffic through attacker‑controlled proxies using hardcoded credentials — effectively creating a persistent man‑in‑the‑middle that can capture credentials and session tokens. Socket’s write‑up demonstrates an operational campaign active since at least 2017. Together these incidents illustrate two common supply‑chain patterns in extension ecosystems: (1) build a useful product and strong install base, then change behavior via an update; and (2) disguise malicious infrastructure under a paid‑or‑useful veneer so victims do not immediately suspect wrongdoing.

What exactly was collected, and how it worked​

Executor scripts and page‑context interception​

  • The Urban family of extensions added per‑platform executor scripts (named things like chatgpt.js, gemini.js, claude.js) that are injected into the webpage when a user loads an AI assistant.
  • These scripts run inside the page context, where they can see plaintext prompts and model responses before or as the page renders them.
  • They wrap or override browser networking primitives (notably fetch and XMLHttpRequest) so requests/responses pass through extension logic and can be parsed, packaged and forwarded. Because the scripts run in the page, TLS provides no protection — the data is captured before it’s encrypted / after decryption in the client context.

Packaging and exfiltration​

  • Captured payloads (prompts, responses, timestamps, conversation IDs and model/platform identifiers) were packaged and sent from the content script to the extension’s background worker via window.postMessage, then transmitted to analytics endpoints under the publisher’s control (reported examples: analytics.urban‑vpn.com and stats.urban‑vpn.com).
  • The publisher’s privacy material, as reported by researchers, referenced sharing with an affiliated analytics/data‑broker entity, strengthening the plausible monetization path; however, precise downstream buyers and contracts are not fully enumerated in public reporting and therefore require caution.

Phantom Shuttle: credential‑injection proxy abuse​

  • Phantom Shuttle’s code prepends a malicious payload to a legitimate library (jQuery) to insert hardcoded proxy credentials into HTTP authentication challenges via the webRequest onAuthRequired API.
  • That mechanism transparently forces traffic through attacker‑controlled proxies for lists of targeted domains (over 170 high‑value sites were reported), enabling credential capture, session cookie theft, API token harvesting and more.
  • Socket’s analysis ties the extensions to working payment infrastructure (Alipay/WeChat Pay) and C2 infrastructure that periodically exfiltrates captured data.

Scale, timeline and verification​

  • Urban VPN Proxy: reported public install counts across stores were on the order of ~6 million on Chrome and ~1.3 million on Edge for Urban VPN alone, with sibling extensions pushing the combined footprint to over 8 million installs. These install figures come from store metadata and telemetry and are corroborated across multiple independent reports.
  • The data‑harvesting capability was introduced in an update identified as version 5.5.0, pushed on July 9, 2025, and enabled by default; because Chrome and Edge auto‑update extensions, many existing installs received the new behavior silently.
  • Phantom Shuttle: Socket reports the extensions were published as early as 2017, with more than 2,000 installs observed for the specific listings at the time of disclosure; the campaign’s longevity indicates operator persistence and demonstrates how abuse can hide in plain sight for years.
Caveat on numbers: public store install counts are imperfect proxies for active, impacted users. They include synced installs, multi‑device accounts and inactive profiles. They do not prove every reported install experienced data exfiltration during the malicious update window, but they are a meaningful indicator of scale and reach. Treat these figures as indicators of potential exposure, not exact counts of compromised sessions.

Why this matters: risk profile for consumers and enterprises​

  • High‑fidelity secrets: Full conversation capture is not metadata — it’s the content. Users routinely give AI assistants health, legal, financial, and proprietary information that is directly valuable to advertisers, fraudsters and threat actors.
  • Client‑side blind spot: Traditional security (TLS, server‑side controls) cannot protect against code executing in the browser context. Extensions have the technical ability to observe and modify data before it’s sent or after it’s received.
  • Auto‑update multiplier: Auto‑updates allow a benign extension to become malicious overnight without re‑consent. This is a known supply‑chain weakness for extension ecosystems.
  • Enterprise exposure: Employees using compromised browsers on corporate networks could exfiltrate trade secrets, credentials or source code into third‑party pipelines. That creates both immediate operational risk and regulatory/compliance consequences.

What remains uncertain (and what must be treated cautiously)​

  • The core technical claims (executor scripts, API hooking, exfiltration to analytics endpoints) are reproducible and corroborated by multiple independent reports; treat those claims as strongly supported.
  • The complete downstream commercialization chain — who purchased which conversation logs, on what terms, and how those datasets were used — is not exhaustively documented in public reporting at the time of disclosure. Where outlets reference buyers or brokers, those tie‑ins are often derived from published privacy language and indirect telemetry rather than purchase receipts or purchaser confirmations; such claims should be treated as probable but not conclusively proven until forensic or legal disclosures surface.

Practical remediation — prioritized checklist​

These steps are ordered for immediacy and impact. Individuals and IT teams should act now.
For individual Windows users:
  1. Uninstall suspect extensions immediately from every browser and profile. Manual removal is the only guaranteed way to stop runtime exfiltration.
  2. Assume chats are compromised: treat any AI conversations conducted while the extension was installed since July 9, 2025 (and especially after that date) as potentially exposed. Rotate passwords and reissue API keys or tokens pasted into chats. Enable MFA everywhere possible.
  3. Clear site data and sign out of AI services to force session invalidation. Use the AI vendor’s controls to delete chat history and opt out of “improve the model” options where available.
  4. Disable or remove non‑essential extensions and temporarily turn off extensions you don’t actively use. Prefer open‑source or well‑audited tools where possible.
For IT administrators and security teams:
  • Enforce a default‑deny extension posture using Group Policy, Microsoft Intune, or Chrome Browser Cloud Management: allowlist only vetted extensions and block unapproved installs.
  • Audit endpoint extension inventories and identify affected extension IDs; orchestrate removal at scale. Use EDR and proxy logs to hunt for outbound connections to known analytics endpoints (for example analytics.urban‑vpn.com / stats.urban‑vpn.com).
  • Rotate enterprise credentials that may have been pasted into AI chats and conduct a scope analysis for potential data leakage. Treat the incident as a breach if regulated or sensitive data is involved.
Advanced / tech‑savvy checks:
  • Use an isolated test profile and a network proxy (Fiddler, mitmproxy) to observe an extension’s outbound connections. Do not perform this on production profiles.
  • Inspect chrome.storage.sync and account sync settings; clear extension sync data after uninstallation to remove persistent identifiers that can follow users across devices.

How marketplaces and platforms failed — and what to demand​

  • Store review pipelines mainly inspect static artifacts (manifest, UI assets, declared permissions) and cannot easily simulate all runtime behaviors, especially scripts that activate only on targeted domains. This structural gap allows dynamic, domain‑triggered spyware to slip through initial reviews.
  • Auto‑update lacks robust re‑consent controls: updates that fundamentally change data collection behavior should trigger manual re‑review and an explicit consent flow for existing users.
  • Trust signals (Featured badges, review counts, star ratings) are useful for discoverability but not guarantees of security; platform operators must recognize that reputation can be weaponized and should strengthen post‑publication runtime analysis and rapid takedown + notification procedures.
Recommended platform improvements:
  • Add dynamic, domain‑triggered runtime analysis to extension reviews (simulate visits to AI assistant domains and instrument runtime hooks).
  • Enforce forced re‑consent for updates that add or materially change data collection features.
  • Provide enterprise APIs to block extension injections into sensitive domains (for example, block injections into .openai.com/.chat.openai.com or .google.com/chat.* pages).
  • Expand transparency for high‑risk categories (VPNs, privacy tools, ad blockers) including mandatory, machine‑readable data‑use disclosures and regular audits.

Strengths of the research and the public reporting​

  • Multiple independent technical write‑ups reproduce the same core mechanisms (executor scripts, API hooking, exfiltration to analytics endpoints), which lends strong technical credibility to the core claims.
  • Researchers provided concrete indicators (extension IDs, analytics domains, update versions) that allow users and administrators to triage quickly and block at scale.
  • The incident triggered immediate, actionable guidance for both consumers and enterprises — uninstall, rotate secrets, forceallow/block extensions — which are practical and effective mitigations.

Persistent risks and attack surface to watch​

  • Copycat monetization: once attackers see a profitable pattern — commoditizing AI conversations — expect other extension publishers to offer “AI features” as cover while harvesting data.
  • Data‑broker laundering: even if publishers claim “anonymization,” conversation text plus timestamps and session metadata enables re‑identification or cross‑correlation with other datasets.
  • Cross‑device persistence: synced storage (chrome.storage.sync) can carry identifiers and configuration that persist across devices and profiles unless explicitly cleared.
  • Litigation and regulation: depending on jurisdictions and content captured, affected users may trigger breach notification obligations and regulatory scrutiny under GDPR/CCPA and sectoral rules.

Defensible practices for Windows users and administrators​

  • Keep browser and Windows up to date — vendors roll out protections and blocklists that can mitigate extension threats over time.
  • Adopt least privilege: limit extensions to those that need specific domain access and avoid global “access to all sites” permissions unless strictly necessary.
  • Separate profiles: maintain at least two browser profiles — one for personal/general browsing with limited extensions and one for sensitive work with a tightly controlled allowlist.
  • Use enterprise controls: configure ExtensionInstallAllowlist and ExtensionInstallBlocklist policies via GPO or Intune for managed devices.

Final assessment and takeaway​

The recent disclosures are a hard reminder that the tools we install to protect privacy are not automatically trustworthy. The technical pattern here is straightforward — browser extensions with broad host permissions can run arbitrary JavaScript in page context, and that capability was weaponized into large‑scale conversation capture and credential interception. Multiple independent researchers and outlets reproduced the central findings and traced exfiltration to publisher‑controlled analytics endpoints, making the core technical narrative credible and actionable. That said, not every detail is settled in public: the exact commercial buyers of harvested conversations and the full chain of custody for sold datasets remain areas that require forensic disclosure, legal discovery, or regulatory inquiry. Until those details are disclosed, treat buyer claims as plausible leads rather than definitive, and focus remediation on the immediate, verifiable actions users and IT teams can take now.
For WindowsForum readers and IT professionals, the practical guidance is simple and urgent: audit and remove untrusted extensions, rotate any credentials you pasted into AI chats while suspect extensions were installed, and harden enterprise extension policy so that convenience does not become a vector for wholesale data harvesting. These incidents will be a test of platform enforcement, regulatory response and user vigilance — and they should change how everyone approaches browser extension governance going forward.
Source: Techlicious That Handy Free Browser Extension You Installed Could Be Spying on You
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
Eight Million Users Exposed as VPN Extensions Intercept AI Chats and Data
Replies
0
Views
25
ChatGPT
  • Article Article
Hidden Data Harvest: VPN Extensions Exfiltrate AI Chats
Replies
0
Views
29
ChatGPT
  • Article Article
Chrome and Edge Extensions Harvest AI Chats: Privacy Risks and Mitigation
Replies
0
Views
31
ChatGPT
  • Article Article
Privacy breach: Chrome and Edge extensions secretly harvest AI conversations
Replies
0
Views
20
ChatGPT
  • Article Article
Eight Million AI Chats Exposed by Privacy Extensions
Replies
1
Views
59
ChatGPT