Several Chrome and Microsoft Edge extensions, designed to protect users online, were discovered to include AI harvesting code that captured, among other things, every AI prompt and response made in the browser it was installed in.
This is the second major discovery by security researchers at KOI. In July, the company discovered 18 malicious Chrome extensions with millions of installations that ran malicious tasks in the background.
Security researchers at KOI discovered Urban VPN Proxy by chance. The Chrome extension had over 6 million users, a 4.7 star rating at the Chrome web store, and a featured badge by Google.
Featured meant that Google reviewed the extension manually to ensure that it follows “technical best practices” and meets “a high standard of user experience and design”.
The makers of the extension, which was also installed by over 1.3 million Microsoft Edge users via Microsoft’s own extensions store, promised unhindered access to any website and the unblocking of content.
According to KOI, the extension did not always have AI harvesting functionality baked into it. This started on July 9, 2025 with the release of version 5.5.0. It shipped with AI harvesting enabled by default.
This meant that AI interactions of any user who updated the extension to the new version or installed it anew were collected.
KOI says the following gets captured:
- Every prompt you send to the AI
- Every response you receive
- Conversation identifiers and timestamps
- Session metadata
- The specific AI platform and model used
The extension supports ten major AI platforms, including ChatGPT, Gemini, Claude, Microsoft Copilot, Grok, Meta AI, Perplexity, and DeepSeek, according to KOI.
It injects scripts into the AI platform’s website whenever a supported site is loaded in the browser. From there, it manipulates browser functions to route all network requests through itself. These requests get parsed and then exfiltrated by a background service worker.
A quick search for extensions that use the same code revealed three additional extensions, available on both the Chrome and the Microsoft Edge web store.
These are 1ClickVPNProxy, Urban Browser Guard, and Urban Ad Blocker. All eight extensions have an accumulated user count of over 8 million.
How could this have been prevented?
Unlike Mozilla, which reviews the updates of featured extensions for Firefox as well, neither Google nor Microsoft seem to do that. This is a loophole that gets exploited over and over again: create or buy a harmless extension that is useful, get the feature badge by passing the manual review, and release an update with malware code later on, as (some?) updates seem to be accepted automatically.
So, if you use extensions, Firefox is the safer bet, but only for featured extensions. This has downsides of its own, including that it takes longer before updates become available.
Free VPNs are just like meme coins. You are just asking for trouble by using them. Not that other extensions can not be compromised, but please avoid free VPNs and shopping coupon extensions. There is like 100% chance that you will be tracked and upsold.
I agree. Development, hosting, traffic, all cost money and it is very unlikely that the service is fueled by altruistic motivation.
When will they learn? The Chrome webstore has been a free-for-all for a long time, it’s like they don’t ever care. The irony is that last month, Google warned that prompt injections being the biggest threat to agentic-browsers, and how Chrome has safety measures to prevent such attacks.
The chrome webstore has been a dump for as long as I care to remember. It always had and still has an unsafe shovelware vibe to it.
Is anyone really surprised by any of this? I feel as though both Mozilla and Google can do better in this department. Having the ability to restrict and monitor extensions would be great. I vaguely recall an extension for chrome but the name escapes me right now.
I believe the extension was discontinued after some sort of API issue and restriction occurred which prevented it from working correctly.
I personally feel that such things should be baked into the browser itself.
The google play store is no better.
At this point I would have to say that Google are complicit, they routinely complain about sideloading and the dangers of installing apps/extensions outside of their own repository and yet there own repository is the absolutely worst. Ironic.