top of page
Buscar

The Featured Listener Behind the Glass: When a Browser Extension Listens to Your AI Conversations

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 16 dic 2025
  • 4 Min. de lectura

Actualizado: 17 dic 2025


Confession rooms are built on trust. You speak freely because you believe no one else is listening.

For millions of users, AI chatbots have become exactly that: places to think out loud, ask sensitive questions, discuss work problems, health concerns, or personal doubts. But in this case, there was someone behind the glass.

A Chrome extension carrying a “Featured” badge and promoted as a privacy-enhancing VPN quietly positioned itself as an invisible listener. Without warnings or explicit consent, it began intercepting conversations with AI platforms like ChatGPT, Claude, Copilot, Gemini, Grok, Meta AI, DeepSeek and Perplexity — at massive scale.

This is the story of how trust in browser marketplaces became a surveillance channel.


Phase 1: Trust as the Entry Point — The Power of a “Featured” Badge


The first phase of the operation did not rely on deception in the traditional sense. Instead, it relied on institutional trust.

Urban VPN Proxy was:

  • Listed as a “Featured” extension

  • Rated 4.7 stars

  • Installed by over six million users on Chrome, plus more than a million on Edge

Featured badges act as implicit endorsements. For many users, they signal that an extension has been reviewed, follows best practices, and respects user privacy. This perception is critical: users install such tools precisely because they want less tracking, not more.

That trust opened the door.


Phase 2: The Silent Update — When the Listener Appears


On July 9, 2025, version 5.5.0 of Urban VPN Proxy was pushed to users via the browser’s automatic update mechanism.

No reinstall.

No new permission prompt.

No visible change in behavior.

What changed was the code.

The update enabled AI conversation harvesting by default, using hard-coded settings. Users woke up one day with new functionality silently embedded in a tool they had already trusted.

The listener was now behind the glass.


Phase 3: The Wiretap — How AI Conversations Were Intercepted


The technical mechanism was precise and deliberate.

For each supported AI platform, the extension injected tailored executor scripts such as:

  • chatgpt.js

  • claude.js

  • gemini.js

Once injected, these scripts overrode core browser networking APIs:

  • fetch()

  • XMLHttpRequest()

Every AI request and response was first routed through the extension’s code. This allowed the extension to capture conversations in full before forwarding them to their intended destination.

What was collected included:

  • User prompts

  • Chatbot responses

  • Conversation identifiers and timestamps

  • Session metadata

  • AI platform and model used

The conversations were then exfiltrated to:

  • analytics.urban-vpn[.]com

  • stats.urban-vpn[.]com

This was not passive telemetry. It was full conversational surveillance.


Phase 4: The Confession — Why AI Data Is Especially Sensitive


Unlike traditional browsing data, AI conversations are uniquely revealing.

Users increasingly treat AI chatbots as:

  • Advisors

  • Drafting partners

  • Problem solvers

  • Emotional outlets

As acknowledged even in Urban VPN’s own privacy policy, AI prompts can contain sensitive personal information. While the company claims de-identification and aggregation, it explicitly states that it cannot fully guarantee the removal of all sensitive or personal data.

In other words: the extension listened to everything — including things users never intended to share with anyone else.


Phase 5: The Business Model — From Listener to Broker


The data did not simply remain internal.

Urban VPN’s privacy disclosures reveal that:

  • Raw (non-anonymized) browsing data is shared with BIScience, an affiliated ad intelligence and brand monitoring company

  • The insights derived from this data are commercially used and shared with business partners

Notably, BIScience also owns Urban Cyber Security Inc., the developer of Urban VPN Proxy. Previous research has linked BIScience to large-scale clickstream data collection through partner extensions, exploiting gray areas in Chrome Web Store policies.

The confession was not private. It was monetized.


Phase 6: The Illusion of Protection — “AI Safety” as Cover


Ironically, the extension advertised an “AI protection” feature that warned users about sharing personal data with AI providers or clicking unsafe links in responses.

What users were not told:

  • AI conversations were harvested regardless of whether this feature was enabled

  • The same sensitive data users were warned about was being sent to Urban VPN’s own servers

As one researcher put it: the extension warns you about sharing your email with ChatGPT while simultaneously exfiltrating your entire conversation to a data broker.

The glass was one-way.


Phase 7: Scale and Replication — Not an Isolated Case


The behavior was not limited to a single extension.

Identical AI harvesting logic was identified in other extensions from the same publisher, including:

  • 1ClickVPN Proxy

  • Urban Browser Guard

  • Urban Ad Blocker

Together, these extensions pushed the total install base beyond eight million users, many of them carrying the same “Featured” designation.

This was not an accident. It was a repeatable pattern.


Defensive Measures: Breaking the One-Way Mirror


Defending against this type of threat requires rethinking where trust is placed.

Key actions include:

  • Auditing installed browser extensions regularly

  • Treating auto-updates as potential risk events

  • Monitoring extensions that hook browser APIs

  • Limiting extensions with access to network requests

  • Treating AI conversations as sensitive data by default

Most importantly, users and organizations must understand that marketplace badges signal compliance, not intent.


This incident is not just about one extension. It is about how easily trusted software becomes surveillance when incentives shift.


No exploit was needed.

No vulnerability was abused.

No malware alert was triggered.

The listener was invited in, sat quietly behind the glass, and took notes.

In an era where AI conversations are becoming the most personal form of digital interaction, the lesson is clear:

If you can speak freely, someone else can listen freely too — unless you know exactly who is on the other side.



The Hacker News


 
 
 

Comentarios

bottom of page