Dirty Hacking

Your Daily Source for Tech, AI ,Cyber & Digital Innovation

Featured Chrome Extension Accused of Secretly Spying on Millions of AI Chat Users

Dirty hacking avatar
Dirty hacking

A popular Google Chrome browser extension used by millions of people around the world, including many in the UK, has been caught secretly collecting users’ private conversations with artificial intelligence (AI) chatbots.

The extension, called Urban VPN Proxy, carried a “Featured” badge on the Chrome Web Store and had been installed by more than six million users. Security researchers have now revealed that the extension was quietly intercepting and sending away every message users typed into AI services such as ChatGPT, Google Gemini, Microsoft Copilot, Claude, Perplexity, Meta AI and xAI’s Grok.

The discovery has raised serious concerns about online privacy, data protection, and how browser extensions are reviewed and approved.

What Is Urban VPN Proxy?

Urban VPN Proxy is marketed as a free virtual private network (VPN) service. VPNs are commonly used to hide a user’s IP address, protect their identity online, or access content blocked in certain countries.

The extension claimed to offer anonymous browsing and enhanced security. Because it was labelled as “Featured” by Google, many users assumed it had passed strong safety checks and could be trusted.

However, cybersecurity experts now say the extension was doing much more than routing internet traffic.

What Exactly Was It Collecting?

According to security researchers, Urban VPN Proxy was monitoring web activity on AI chatbot websites. Whenever a user typed a prompt or question into an AI tool, the extension captured the text and sent it to remote servers controlled by the extension’s operators.

This means personal, sensitive, and confidential information could have been collected, including:

  • Work-related questions
  • Legal or medical queries
  • Private thoughts and diary-like entries
  • Business ideas and source code
  • Personal problems shared with AI chatbots

Many people treat AI chat tools as private assistants. The idea that those conversations were being silently copied has alarmed users and privacy experts alike.

Why Is This a Big Deal?

AI chats often contain more personal information than standard web browsing. Users may reveal things to AI that they would never post publicly, believing the interaction is private.

In the UK, this raises potential issues under data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These laws require companies to clearly explain what data they collect and why, and to get proper consent from users.

If user data was collected without clear permission, the extension’s operators could face serious legal consequences.

How Did This Go Undetected?

One of the most worrying aspects of the incident is that the extension carried a Google “Featured” badge, which is meant to signal quality, safety and trustworthiness.

Browser extensions can request broad permissions, such as the ability to “read and change data on all websites”. While these permissions are sometimes necessary, they can also be abused.

Experts say this case shows that even highly rated and promoted extensions can pose risks. Automatic reviews may miss hidden or obfuscated code, especially if malicious behaviour is carefully concealed.

Impact on UK Users

Urban VPN Proxy was available worldwide, including in the UK, meaning British users may also have been affected.

UK cybersecurity professionals are warning users to:

  • Immediately remove the extension
  • Change passwords if sensitive data was shared
  • Be cautious about what information is typed into AI tools
  • Review permissions for all installed browser extensions

The UK’s Information Commissioner’s Office (ICO) may investigate if UK users’ data was mishandled.

Google and the Bigger Problem

While Google has systems in place to scan extensions for malicious behaviour, this incident highlights the difficulty of policing millions of add-ons.

Privacy campaigners are calling on Google to:

  • Improve extension audits
  • Reduce excessive permissions
  • Add clearer warnings for users
  • Regularly re-review “Featured” extensions

There are also growing calls for better public education around browser security.

How Can Users Stay Safe?

Cybersecurity experts recommend several simple steps:

  1. Install only necessary extensions
  2. Avoid free VPNs, which often make money through data collection
  3. Check permissions carefully
  4. Remove extensions you no longer use
  5. Treat AI chats as potentially non-private

If an extension asks for access to “all websites”, users should question whether that level of access is truly needed.

A Wake-Up Call

The Urban VPN Proxy incident serves as a strong reminder that online convenience often comes at a hidden cost. Even tools that appear safe, popular, and officially promoted can misuse trust.

As AI becomes more deeply embedded in daily life, protecting conversations with these systems will become increasingly important. Users, regulators, and technology companies all have a role to play in making the internet safer.

For now, experts agree on one thing: privacy should never be assumed — it must be actively protected.

Dirty hacking avatar
Dirty hacking
Creator of Dirty Hacking. Sharing raw tech news, cybersecurity insights, and real advice to break into IT, AI, and investing.

Leave a Reply

Your email address will not be published. Required fields are marked *

Author Profile

Mr Afdal

Mr. Afdal is the founder and lead mind behind Dirty Hacking. As a seasoned penetration tester, AI expert, and crypto and trading specialist, he combines deep technical expertise with real-world experience. With a following of more than 50K across social platforms, Mr. Afdal shares advanced insights, tutorials, and tools that empower developers, traders, and cybersecurity professionals to stay ahead of modern threats and innovations.

Click Here
Latest posts
Search
Cateegories
Tags