Executive Summary
In December 2025, security researchers revealed that Urban VPN, a widely used proxy extension, was surreptitiously intercepting conversations across multiple major AI platforms including ChatGPT, Claude, Gemini, and others. The extension embedded specialized scripts to harvest every prompt, response, and session identifier, regardless of VPN connectivity, compromising the privacy of millions of users. This covert data collection occurred without user awareness or consent, and the only available mitigation was uninstalling the extension altogether. Widespread harvesting of AI chat data raised severe concerns over data confidentiality and regulatory non-compliance.
This incident underscores the increasing exploitation of browser extensions as attack vectors, especially as user reliance on generative AI tools for sensitive communications grows. The lack of transparency and opt-out mechanisms amplifies exposure to data-harvesting malware and highlights urgent needs for enhanced supply-chain vetting and detective controls in both enterprise and consumer environments.
Why This Matters Now
As enterprise adoption of AI chat platforms accelerates, extensions like Urban VPN represent a rapidly growing threat to data integrity and privacy. The incident exposes urgent gaps in extension security vetting, user awareness, and compliance with data protection frameworks, highlighting the critical need for Zero Trust controls and real-time monitoring.
Attack Path Analysis
The attack began with users installing a malicious Urban VPN browser extension, granting it access to web sessions. The extension leveraged existing permissions to silently harvest sensitive data from AI chat platforms without elevating privileges. Since it operated as a browser extension, no cloud or system lateral movement occurred. The extension maintained a persistent channel to exfiltrate intercepted conversations, identifiers, and session details. Sensitive prompts and responses were continuously sent to external infrastructure controlled by the attacker. The result was a significant compromise of user privacy and potential loss of proprietary or regulated information.
Kill Chain Progression
Initial Compromise
Description
Users installed the Urban VPN browser extension, unknowingly introducing malware capable of intercepting AI chat traffic.
MITRE ATT&CK® Techniques
Browser Extensions
Input Capture: Web Portal Capture
Archive Collected Data: Archive via Utility
Obfuscated Files or Information
Exfiltration Over C2 Channel
Automated Collection
Account Discovery: Email Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Stored Cardholder Data
Control ID: 3.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework - Protection & Prevention
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Monitor Data at Rest and in Transit
Control ID: Data Protection - Continuous Monitoring
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Urban VPN's data harvesting malware targeting AI platforms creates severe risks for software developers using ChatGPT, Claude, and other AI coding assistants for proprietary development.
Legal Services
Law firms using AI platforms for document review and legal research face attorney-client privilege breaches through continuous interception of sensitive AI conversations and metadata.
Health Care / Life Sciences
Healthcare organizations leveraging AI tools risk HIPAA violations as the malware captures patient data discussions, research queries, and clinical decision-making conversations across platforms.
Financial Services
Banks and financial institutions using AI for analysis face regulatory compliance failures as the proxy intercepts confidential client data and trading strategy discussions.
Sources
- Urban VPN Proxy Surreptitiously Intercepts AI Chatshttps://www.schneier.com/blog/archives/2025/12/urban-vpn-proxy-surreptitiously-intercepts-ai-chats.htmlVerified
- Urban VPN Proxy is the latest free VPN spying on users – here's how to stay safehttps://www.techradar.com/vpn/vpn-privacy-security/urban-vpn-proxy-is-the-latest-free-vpn-spying-on-users-heres-how-to-stay-safeVerified
- VPN extension for Chrome intercepts users’ AI requests – HackMaghttps://hackmag.com/news/ai-urban-vpnVerified
- This Google Chrome extension has been silently stealing every AI prompt its users enterhttps://www.techradar.com/pro/security/this-google-chrome-extension-has-been-silently-stealing-every-ai-prompt-its-users-enterVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust segmentation, granular egress policy enforcement, and network-layer threat detection could have restricted unapproved data flows and flagged anomalous traffic from browser extensions, limiting the attacker's ability to exfiltrate sensitive AI chat content. Inline CNSF controls and real-time observability would further help identify and suppress covert harvesting channels.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual extension behaviors or session hijacking attempts could be detected and alerted.
Control: Zero Trust Segmentation
Mitigation: Granular segmentation policies minimize privilege access beyond the minimum necessary.
Control: East-West Traffic Security
Mitigation: Internal lateral movement blocked and monitored, should malicious code attempt to pivot beyond the user's browser.
Control: Egress Security & Policy Enforcement
Mitigation: Suspicious outbound sessions to unauthorized domains blocked and alerted.
Control: Cloud Firewall (ACF)
Mitigation: Data exfiltration attempts via HTTP/S can be blocked or flagged by outbound firewall and DLP rules.
Comprehensive monitoring and auditing enable rapid response and scope determination.
Impact at a Glance
Affected Business Functions
- Data Privacy Compliance
- User Trust Management
- Legal and Regulatory Affairs
Estimated downtime: N/A
Estimated loss: $500,000
Unauthorized collection and potential sale of sensitive user interactions with AI platforms, including prompts, responses, and session metadata, leading to significant privacy violations and potential regulatory penalties.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular egress policies and FQDN filtering to restrict browser extension communications with unauthorized destinations.
- • Enhance real-time threat detection and network anomaly response to identify suspicious extension traffic and session hijacking activities.
- • Apply zero trust segmentation to strictly control data access between endpoints, applications, and browser extensions.
- • Increase multicloud and application-layer visibility to expedite detection and incident response for shadow AI or covert harvesting channels.
- • Regularly audit and limit browser extension privileges within enterprise environments to minimize unauthorized data access vectors.
