Key Takeaways
- Urban VPN injects scripts that capture user interactions with popular AI platforms, including prompts and responses.
- These scripts are deployed even when VPN features are disabled, and they override browser network APIs to intercept user data.
- The scripts upload user conversation content and metadata to Urban VPN’s backend systems, regardless of VPN use.
- The Urban VPN Chrome extension has high ratings and a "Featured" badge from Google, which may give users a false sense of security.
Introduction to the Issue
According to Koi Security’s findings, Urban VPN has been found to inject scripts that activate whenever users interact with popular AI platforms. These scripts capture both prompts and responses, even when VPN features are disabled. This means that users who trust Urban VPN to protect their online privacy may actually be unknowingly sharing their sensitive information with the company. The scripts in question are designed to override key browser network APIs, allowing Urban VPN to intercept everything a user types and receives on AI chat platforms like ChatGPT, Claude, Gemini, Perplexity, Grok, and others.
The Scripts and Their Functionality
The scripts, which are referred to as "executor" scripts, are deployed by Urban VPN Proxy and are specific to each AI platform. For example, there are separate scripts for ChatGPT, Claude, and Gemini, among others. These scripts continuously monitor AI conversation content and related metadata, and upload it to Urban VPN’s backend systems, regardless of whether the user has VPN features enabled or not. This raises serious concerns about user privacy, as it appears that Urban VPN is collecting and storing sensitive information without users’ knowledge or consent. The fact that these scripts are able to override browser network APIs also suggests that Urban VPN has significant control over users’ online activity.
The Trust Factor and Google’s Involvement
The Urban VPN Chrome extension has high ratings and a "Featured" badge from Google, which may give users a false sense of security. The "Featured" badge indicates that the extension has passed manual review and meets Google’s standards for user experience and design. However, the fact that Urban VPN is injecting scripts that capture user data without their knowledge or consent raises questions about the effectiveness of Google’s review process. It is unclear whether Google was aware of the scripts and their functionality when it awarded the "Featured" badge, but the fact that the extension has been allowed to remain in the Chrome store despite these findings suggests that more needs to be done to protect users’ privacy.
Implications and Concerns
The discovery of these scripts has significant implications for users who trust Urban VPN to protect their online privacy. It suggests that the company is prioritizing data collection over user privacy, and that users may be unknowingly sharing sensitive information with the company. This is particularly concerning given the popularity of AI chat platforms, which are often used for sensitive or confidential conversations. The fact that Urban VPN is able to capture and store this information without users’ knowledge or consent raises serious concerns about the company’s data handling practices and its commitment to user privacy. As a result, users may want to reconsider their use of Urban VPN and explore alternative options that prioritize user privacy and security.
Conclusion and Recommendations
In conclusion, the findings by Koi Security raise serious concerns about Urban VPN’s data handling practices and its commitment to user privacy. The fact that the company is injecting scripts that capture user data without their knowledge or consent is a significant breach of trust, and users should be aware of the potential risks associated with using the Urban VPN Chrome extension. To protect their online privacy, users should consider alternative VPN options that prioritize user privacy and security, and should be cautious when using AI chat platforms, especially if they are sharing sensitive or confidential information. Ultimately, it is up to users to take control of their online privacy and to demand more from companies that claim to protect it.