Security researchers recently made a shocking discovery – malicious browser extensions are targeting users’ sensitive AI conversations. However, it turns out that the practice is widespread, and even legitimate extensions are pilfering users’ AI chats.
Over the past few weeks, Cybersecurity experts have discovered Chrome and other browser extensions syphoning user conversations with chatbots.
First, Koi researchers flagged featured VPN extensions with over 8 million users, harvesting and selling sensitive data to third parties.
OX Security discovered two “malicious extensions” doing the same, one of them also bore Google’s “Featured” badge.
It appears that this practice is more widespread than previously anticipated.
Secure Annex researcher John Tuckner warns that Similarweb, a popular and legitimate browser extension with over 1,000,000 users, is also actively monitoring and collecting data from AI tools.
The extensions transmit prompts, chatbot responses, and other metadata for web analytics. This functionality was recently introduced.
“Similarweb extension contains sophisticated data collection capabilities specifically targeting AI chat platforms,” the researcher writes in a report about rampant prompt poaching in extensions.
“Similarweb, a web analytics company itself, claims to provide instant website analysis and SEO metrics, but silently added the ability to monitor conversations after a May 2025 update.”
The extension scripts include parsing logic for ChatGPT, Claude, Gemini, and Perplexity.
The company’s privacy policy also clearly states that AI inputs and outputs, workflows, and metadata will be collected, including attached or uploaded files, such as images, videos, text, CSV files, and others.
The company explains that it does not aim to collect personal data for identification purposes and takes steps, where possible, to remove or filter out identifiers and personal data that might be submitted to AI tools.
And of course, it is not the only one. The researcher discovered that past versions Stayfocusd extension, a featured productivity tool, also contained behaviorally similar code. However, it has recently been made slightly less invasive, continuing to collect metadata about conversations with AI, but not the chats themselves.
This practice is concerning because people tend to share private thoughts and sensitive information with AI chatbots.
Users accept data collection practices when they install the extension.
What’s going on? Can’t we have a little privacy?
PCMag has previously discovered that Profound, a New York-based startup, is already selling insights on what users are asking major chatbot providers. The data is highly valuable to all marketing companies that target ads.
Koi Security previously detailed that the flagged Urban VPN extensions, pilfering AI conversations, are affiliated with the data broker company BiScience. User data is then sold through advertising products, such as AdClarity and Clickstream OS.
Urban VPN later responded by denying the claims that AI data processing was automated or hidden and stating that AI-related processing features (AI protection) are opt-in and not enabled by default. Users can also disable AI Protection “at any time.”
Researchers warn that the so-called “Prompt Poaching” technique is gaining popularity, and many other extensions may update to include this functionality as a means of monetization.
“This is just the beginning of this trend. More firms will begin to realize these insights are profitable,” Tuckner said.
“Extension developers looking for a way to monetize will add sophisticated libraries like this one supplied by the marketing companies to their apps. Your deepest thoughts will be harvested and sold for their gain.”
The researcher warns that this practice poses a significant threat to organizations – a seemingly benign Chrome extension can unknowingly leak internal secrets or activities.
“Until Google and other browser extension marketplaces create policies specifically for this behavior or enforce existing policies, like single-purpose, users should be wary. It is very likely against Google's policy for remotely hosted code,” Tuckner said.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked