Security researchers revealed that Urban VPN, a popular free VPN extension used by millions, was capable of accessing AI chat conversations across multiple platforms. The findings triggered widespread coverage and prompted Urban VPN to issue a public response disputing parts of the claims.
While the case centers on one extension, experts say it exposes a much larger issue. Millions of people now rely on AI chat tools like ChatGPT, Google Gemini, and Microsoft Copilot to write emails, solve work problems, plan trips, or ask personal questions. What many users don’t realize is that these conversations often take place inside browsers filled with extensions that may have far more access than expected and be a largely overlooked gateway to some of the internet’s most sensitive data.
What Researchers Found
Earlier this month, cybersecurity researchers at Koi Security reported that the Urban VPN browser extension could intercept both AI prompts and responses by injecting code into AI chat webpages, including ChatGPT, Google Gemini, Claude, and Microsoft Copilot. They said this access could occur even when the VPN itself was not actively connected.
According to the researchers, the extension modified core browser networking functions used by the websites, allowing it to observe AI conversations before they were displayed on screen. This meant the extension could technically access everything a user typed into an AI chat, as well as the responses generated, without requiring the user to click the extension or actively enable the VPN connection.
The researchers said this behavior continued even when the VPN feature itself was turned off, because the data access was handled by the browser extension rather than the VPN tunnel. In practice, this meant users could believe they were simply browsing normally while the extension remained capable of monitoring AI chat traffic in the background.
Koi Security reported that the AI chat interception functionality was introduced through an automatic update earlier this year, around mid-2025, and remained active for several months before being publicly disclosed. Because browser extensions update silently by default, users were not notified of the new behavior and were given no clear indication that the extension’s capabilities had changed.
Security analysts emphasized that this type of access does not rely on breaking encryption or hacking AI services. Instead, it exploits the trust model of browser extensions, which are allowed to read and modify webpage content if granted broad permissions during installation—permissions many users approve without fully reviewing.
How Urban VPN Responds
Following the growing media attention, Urban VPN published an official blog post addressing the allegations. In the statement, the company said that AI chat processing is tied to its “AI Protection” feature and that this functionality operates only when users explicitly opt in.
Urban VPN said the feature is designed to warn users about sharing sensitive information with AI tools and disputed claims that AI chats are collected by default.
Security analysts note, however, that the broader concern remains unresolved: whether users clearly understood what data the feature could access, how consent was presented, and whether disclosures were sufficiently prominent for a general audience.
Why This Went Unnoticed for Months
One reason the issue attracted little attention until now is how browser extensions function. Many extensions request broad permissions, such as the ability to “read and change data on all websites,” which can allow access to anything typed into a webpage, including AI chat interfaces (Google Chrome Extensions documentation).
Because this activity occurs within the browser itself, AI platforms typically have no visibility into which extensions may be accessing user input.
Security experts say this creates a structural blind spot: users may install an extension for a single purpose, such as privacy or convenience, without realizing the full scope of access it receives.
Why AI Chats Are Especially Sensitive
Unlike traditional browsing history, AI conversations often contain deeply personal or confidential information.
Users routinely paste internal work documents, business ideas, source code, resumes, legal questions, financial concerns, or health-related queries into AI chat tools. As several analysts have noted, this makes AI chats far more revealing than simple click or search data.
From a privacy standpoint, AI conversations reflect declared intent (what people are actively thinking about or planning) rather than passive behavior.
Not Just One Extension
While Urban VPN is the focus of the current controversy, security professionals emphasize that the issue is broader than a single product.
Many browser extensions, particularly those related to AI tools, productivity features, or free services, reserve the right to process user content in their terms or privacy policies. In some cases, this disclosure is clear. In others, it is buried in lengthy documents few users read.
At the same time, browser extension marketplaces do not currently require special labeling for extensions that can access AI chat data, leaving users with limited insight into how their conversations may be handled.
The case has also renewed scrutiny of free VPN services more generally.
Running a VPN network is expensive, and when users are not paying with money, companies often rely on alternative revenue models such as analytics, advertising, or data partnerships. AI chat data is particularly valuable because it reveals user intent rather than passive browsing behavior, a point highlighted by multiple security outlets covering the Urban VPN case.
Privacy experts caution that this economic reality does not automatically imply wrongdoing, but it does mean users should be cautious about what they share through free tools.
What Users Can Do
Security professionals recommend several practical steps:
- review and remove browser extensions you no longer need;
- be cautious of extensions requesting permission to read data on all websites;
- avoid using AI tools in browsers overloaded with extensions;
- consider separate browser profiles for work or sensitive AI conversations;
- treat AI chat tabs like email or documents, not casual searches.
A Growing Privacy Question
As AI tools become part of everyday life, privacy safeguards are struggling to keep pace.
The Urban VPN case has evolved from a single research report into a broader conversation about transparency, consent, and trust in browser extensions. While no regulatory action has been announced as of 19 December 2025, analysts say the episode highlights how easily sensitive AI data can fall into a gray area.
Whether this leads to stricter rules or clearer disclosures remains to be seen. What is clear is that AI conversations, once treated as disposable, are rapidly becoming one of the internet’s most sensitive forms of personal data.
Monday-Sunday: 5:00am - 8:00pm (PT)
Leave a Comment