Browser Extensions Harvest AI Conversations from Millions of Users for Marketing

Ars Technica
Ars Technica
2h ago
3 views
Eight browser extensions with 8 million installs harvest full AI chatbot conversations and sell them for marketing. They masquerade as privacy tools but intercept data from top AI platforms and transmit it to third parties.
Browser Extensions Harvest AI Conversations from Millions of Users for Marketing
A What happened
Security researchers found eight extensions in the Chrome and Edge web stores, collectively installed over 8 million times, that hijack AI chatbot data. These extensions override browser network functions to capture entire dialogues with AI platforms such as ChatGPT, Claude, and Gemini. The extensions then compress and send conversation data, including prompts, responses, and session info, to servers owned by Urban Cyber Security and its affiliates. Marketed functions like VPN and ad blocking continue independently while the data harvesting runs covertly. The extensions falsely assure users that data remains anonymous and is not used beyond described service purposes, but privacy policies disclose data sharing for marketing analytics. The practice raises serious privacy and security concerns about user trust in AI interaction tools and third-party software.

Key insights

  • 1

    False assurances and opaque consent mechanisms: The extensions present conflicting claims about data use, with AI conversation harvesting buried in lengthy, complex legal texts, undermining genuine user informed consent.

  • 2

    Vulnerabilities in app store moderation and endorsement: Despite handling sensitive AI interaction data, these extensions retain 'Featured' badges on major platforms, highlighting gaps in vetting and quality control by Google and Microsoft.

  • 3

    Integration of data harvesting with core functionalities: The AI data interceptor scripts run independently of advertised VPN or ad-block features, allowing conversation data collection even when other extension functions are disabled.

Takeaways

These extensions demonstrate the increasing complexities and risks in AI data privacy as third-party tools exploit user trust, underscoring the need for stronger platform oversight and clearer user protections.

Topics

Technology & Innovation Artificial Intelligence Cybersecurity World & Politics Policy & Regulation