Urban VPN Proxy extension collects user data!
If you have been using the Urban VPN Proxy for privacy, you must see this! This browser extension actually harvests user data to facilitate the easy sale of the same.
Urban VPN Proxy is used as an Edge and Chrome extension and has received an impeccable rating of 4.7 on the Google Web Store. It also has a “featured” badge from Google. This means that Urban VPN Proxy has easily passed manual review and also caters to the standards set by Google.
However, a group of researchers at Koi Security has discovered that this extension has been harvesting user data from 8 commonly used AI chatbots– Gemini, ChatGPT, Perplexity, Microsoft Copilot, Claude, Meta AI, Grok, and DeepSeek.
Idan Dardikman, the Chief Technology Officer and Co-founder at Koi Security, has stated that the extension continues to collect data in the background, whether it is currently connected or not. What’s worse is that this extension lacks a user-facing toggle so that users can disable it. As of now, the only way to prevent the extension from collecting your data is to uninstall it right away.
Dardikman believes this data-collection feature has affected a whopping 8 million users.
The 5.5.0 Version of Urban VPN Proxy has the data harvesting feature enabled. All other versions prior to this one did not collect any user data.
The publisher of Urban VPN Proxy has multiple other extensions, which the researchers believe are also involved in data harvesting. These extensions include Urban Ad Blocker, Urban Browser Guard, 1ClickVPN Proxy, etc.
How is Urban VPN Proxy collecting your data?
The extension uses a tailored JavaScript executor. Whenever you use a targeted AI chatbot, it gets triggered to collect user data. Basically, the extension keeps track of your browser tabs and injects the executor JavaScript into the page you’re visiting.
Once the malicious script is injected, it acquires control over two main functions: fetch and XMLHttpRequest. These functions handle most of the requests a browser receives or sends to the internet. So, by overriding these two functions, the Urban VPN Proxy effectively positions itself at the center, with all other network activities revolving around it.
In simple words, all the requests that you make to your ChatBot, and the responses that you receive, have to go through the code of the extension first. Now, this gives complete visibility into the data being sent and received, well before the browser processes or even displays it.
So, when you enter a prompt into an AI chatbot or maybe receive a reply to your question, Urban VPN Proxy can easily view the raw API traffic in the background. The worst part is that this interception stays invisible to the unsuspecting user. The extension is more like an invisible middleman between the AI chatbot and the user.
The injected script can easily scan all the intercepted data and extract all your conversation data. The extracted data may include the prompts you used, timestamps, chatbot replies, interaction metadata, and session identifiers. Just imagine how detailed a picture this extension can develop around your behaviour, interests, and other sensitive conversations.
What happens to the collected data?
The harvested data is sent to the extension’s background service worker. Next, the same data is compressed and transmitted to Urban VPN Proxy’s servers. All these keep happening discreetly in the background, and the user receives no notification.
Urban VPN Proxy has been developed by Urban Cyber Security Inc., which is well-connected to BiScience. The latter has the reputation of being a data broker. In the past, researchers have found out that BiScience was involved in collecting a large amount of clickstream and browsing data and linking the same to persistent device identifiers. This makes it possible to re-identify individual users.
BiScience also offers Software Development Kits to other extension developers, enabling them to harvest and monetize user data. Further, BiScience actively sells user data through products like ClickStream OS and AdClarity.
Why is it concerning for users?
It is true that Urban VPN mentions a certain degree of AI data processing during installation. But what happens in the background stays hidden in the lengthy and jargon-infested privacy documents.
This extension is directly creating trust issues. Rather than offering protection, Urban VPN Proxy is acting as a surveillance tool. Given that users share personal, professional, and confidential data with chatbots, Urban’s data harvesting seems way too intrusive. The extension poses a threat to both individual users and organizations.
It’s best to avoid using free VPNs, as they are far more likely to collect and monetize your personal data instead of charging a fee. Carefully reviewing permission requests during installation can help you spot data-harvesting red flags, while enabling strong phishing protection adds an extra layer of defense against malicious websites and online scams.