Research identified that Urban VPN Proxy (6M+ users) and multiple related extensions from the same publisher contain functionality that captures and exfiltrates complete AI chat conversations by default. The behavior operates independently of the VPN feature and runs even when the VPN is disabled. Captured data includes prompts, responses, timestamps, conversation identifiers, and session metadata, which is transmitted to Urban VPN-controlled telemetry endpoints.
‍
The Analysis found dedicated per-platform “executor” scripts used to intercept conversations across multiple AI chat services. There is no user-facing toggle to disable the harvesting, removal of the extension is required.
‍
How the Harvesting Works
- Script injection into AI platforms: The extension watches tabs and injects a platform-specific script (e.g., chatgpt.js, claude.js, gemini.js) when the user visits a targeted AI site.
- Overrides browser networking APIs: The injected script wraps/overrides fetch() and XMLHttpRequest so that request/response bodies for AI prompts and completions are visible to the extension before rendering.
- Parsing + message passing: Conversation content (prompts, responses, IDs, timestamps) is parsed and sent via window.postMessage tagged with PANELOS_MESSAGE to the extension content script.
- Exfiltration via background worker: The content script forwards the data to the background service worker, which compresses and transmits it to endpoints including:
- analytics.urban-vpn.com
- stats.urban-vpn.com
Why This Matters
AI chat sessions frequently contain highly sensitive data (source code, internal designs, customer info, credentials, health/financial details). When an extension silently captures entire conversations:
- It creates enterprise data leakage outside approved security controls.
- It turns “AI usage” into a new exfiltration channel that users may not treat like email/drive.
- It undermines user trust: the extensions market “AI protection” while the code path exfiltrates the same data.
Timeline / Exposure Window
- Before v5.5.0: No AI conversation harvesting observed.
- July 9, 2025: Version 5.5.0 released with AI harvesting enabled by default.
- July 2025 – present: Conversations on targeted AI platforms may have been captured for users with auto-updated extensions.
Scope of Affected Extensions
Identical AI conversation harvesting code was found across multiple extensions from the same publisher:
- Chrome Web Store: Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker
- Microsoft Edge Add-ons: Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker
Estimated combined reach: 8M+ users.
‍
Recommended Actions
- Uninstall / blocklist affected extensions across managed devices (Chrome Enterprise / Edge policies).
- Assume AI chat content may be exposed if any of the extensions were installed after July 2025 and users accessed AI platforms listed above.
- Restrict extension installs to allowlists (verified publishers only; ban “search-and-install” behavior).
Indicators of Compromise (IOCs)
‍
Chrome Extension IDs
- Urban VPN Proxy:
eppiocemhmnlbhjplcgkofciiegomcon - Urban Browser Guard:
almalgbpmcfpdaopimbdchdliminoign - Urban Ad Blocker:
feflcgofneboehfdeebcfglbodaceghj - 1ClickVPN Proxy (Chrome):
pphgdbgldlmicfdkhondlafkiomnelnk
Edge Extension IDs
- Urban VPN Proxy:
nimlmejbmnecnaghgmbahmbaddhjbecg - Urban Browser Guard:
jckkfbfmofganecnnpfndfjifnimpcel - Urban Ad Blocker:
gcogpdjkkamgkakkjgeefgpcheonclca - 1ClickVPN Proxy (Edge):
deopfbighgnpgfmhjeccdifdmhcjckoe
Exfiltration / Telemetry Endpoints
analytics.urban-vpn.comstats.urban-vpn.com
This incident demonstrates a growing class of risk: browser extensions that quietly monitor and monetize AI conversations. Because extensions auto-update and run with high trust, a single “privacy” tool can become an enterprise-scale surveillance layer. Treat AI chat traffic as sensitive data, enforce strict extension governance, and audit for any tooling that intercepts fetch/XHR on AI platforms.
