Urban VPN caught logging private ChatGPT and Claude chats

Security researchers have discovered that Urban VPN, a Chrome extension with millions of installs and even a "Featured" badge from Google, has been quietly intercepting users’ conversations with AI chatbots like ChatGPT, Claude and Gemini. Analysis by cybersecurity firm Koi shows the extension injecting JavaScript into AI sites to capture prompts, responses and metadata, then sending that data to remote servers regardless of whether the VPN is actually in use. A separate, more detailed write‑up notes that Urban VPN’s business model appears to revolve around monetizing this data, effectively turning highly sensitive AI queries into an analytics product sold to third parties. The case highlights just how fragile privacy can be around generative‑AI tools, where people routinely paste medical, financial and work information into chats they assume are confidential. It also raises hard questions for platform operators like Google, whose endorsement signals clearly weren’t enough to protect users from a rogue extension.