Browser extension AI chat exfiltration

A browser extension is a small program a user installs onto their browser to add features such as ad-blocking, changing how a site looks, or giving the user more information about a site they are using. Once installed, extensions can run scripts in every webpage the user accesses. If the extension was given the read-your-browsing-history permission or the broader permission to read & modify any web page, it can see every URL the user visits & it can read the text of any page the browser displays, including a user's typed prompts to an AI chatbot & the chatbot's replies.

Technically, the read-the-page capability is typically delivered through a content script: a piece of extension code injected into the page that can read the rendered HTML directly. Because the content script runs inside the browser after the TLS connection to ChatGPT or Claude has already been decrypted, the encryption between the user & the AI provider does not protect the chat from the extension. A separate background service worker in the extension can take what the content script reads & post it to a remote server the publisher controls.^[4] Google's own Chrome Web Store Limited Use policy states that "Collection and use of web browsing activity is prohibited, except to the extent required for a user-facing feature described prominently in the Product's Chrome Web Store page and in the Product's user interface."^[5] The cases below indicate that this policy is not consistently enforced.

On May 11, 2026, James Arnott published The AI Chat Scraping Extension Wall of Shame on amibeingpwned.com, a project of Bay Area Labs Inc. Arnott's methodology combined static & dynamic analysis in the AIBP sandbox with manual packet capture; for each Confirmed entry, he watched the AI chat content leave the browser in network traffic in his own sandboxed browser & decoded the obfuscated payloads before classification.^[1] Arnott divided his findings into two categories: Confirmed, meaning he observed chat content leaving the browser during testing, & Capability, meaning the exfiltration code path & remote endpoint were present & wired up but did not fire in the observation window, which he attributed to server-side gating through remote configuration.^[1]

Arnott explained the Capability category as follows:

Remote config lets an extension fetch instructions from a server at runtime, changing behaviour after install without an update. It's also a convenient way to dodge sandbox detection, which is what we think we're looking at in the Capability entries below.

^[1]

The seven extensions Arnott named, with the install counts, owner attributions, status & obfuscation type he documented, are summarised below.^[1]

Arnott separately listed the Urban VPN Proxy extension, with more than eight million users, as an "honourable mention" because it had been caught & had ceased AI-chat scraping after the December 2025 Koi Security disclosure, although it continued to exfiltrate URLs with LZ-String compression at the time of his post.^[1] Arnott also published primary video evidence of two of the Confirmed entries on the amibeingpwned YouTube channel, demonstrating WhatRuns exfiltration^[6] & the StayFocusd infrastructure analysis.^[7]

For a non-technical reader: the Stylish extension wraps every URL the user visits in five layers of encoding before sending it to its servers, which makes it harder for a casual reviewer or an automated Chrome Web Store check to see what is being sent. The encoded request leaves the browser every time the user opens a new page, whether or not the user is doing anything with the extension at that moment.^[4]

Arnott reverse-engineered the Stylish payload & published the structure in a February 26, 2026 post. The JSON payload the extension builds in its background service worker contains, among other fields, gp (the current URL), klm (the previous URL) & pxe (a unique identifier for the user).^[4] The sample payload Arnott captured from a single page visit reads:^[4]

{
    "gp": "https://userstylesapi.com/top/styles",
    "klm": "https://www.google.com/search?q=test+google&rlz=1C5OZZY_enGB1156GB1156&oq=test&gs_lcrp=Eg...",
    "ver": "https://www.google.com/search?q=test+google&rlz=1C5OZZY_enGB1156GB1156&oq=test&gs_lcrp=Eg...",
    "knl": "",
    "dig": "2008511158",
    "tmg": "link",
    "trp": "exthead",
    "st": "1772053130391",
    "ch": "9",
    "di": "a3e3e2a81",
    "pxe": "Lk85G2SeiETEPNOWlrR15mLsZDsC",
    "vmt": "6",
    "lav": "21",
    "wv": "1",
    "gr": "3.4.10",
    "craz": "AAEAAAAAAG0RCwIRdAAAAAAAAAAAAAAAAAAAAAAAAAA="
}

Arnott documented the obfuscation chain applied to that payload before it is posted:

URL encoding to a query string ... Double base64 encoded JSON stringified, then base64 again ... Columnar transposition cipher, the base64 string is split into 48-character rows, then read column-by-column instead of row-by-row, scrambling the text ... AES-256-CBC encrypted using a symmetric key hardcoded in the extension source code ... Base64 encoded one final time.

^[4]

Arnott observed that the AES-256-CBC step uses a symmetric key compiled into the extension's source code, which means anyone willing to read the extension's JavaScript can decrypt the traffic; he published a working JavaScript decoder using the recovered key.^[4] His commentary on the design choice was direct:

I do like the use of a hardcoded encryption key as it makes my life so much easier, although I do wonder if they've heard of this revolutionary "asymmetric encryption" where they can avoid having this hardcoded key for encryption and decryption.

^[4]

Other extensions in Arnott's list applied lighter obfuscation or none at all. Poper Blocker used a character-mapping scheme; CrxMouse used base64; StayFocusd & StayFree used the LZ-String library, which Arnott characterised as compression; WhatRuns & the SimilarWeb extension applied no obfuscation to the exfiltrated requests at all.^[1] WhatRuns, in Arnott's words, "exfiltrates every URL you visit, alongside AI chats. No exceptions here, they don't even bother to obfuscate the requests."^[1]

The Capability extensions are gated server-side, which is why a one-shot sandbox check does not see them firing. Arnott documented the Poper Blocker case in detail: the AI-chat scraping code path & endpoint were present, but the exfiltration only began after the sandbox's user identifier had aged for roughly a day. In his words: "We initially did not see AI chat scraping in our sandbox, but after leaving the user ID to age for a day, the scraping kicked in, confirming the server-side timer gated on user-ID age."^[1] Arnott documented StayFocusd's behaviour as the same pattern with a different trigger: the AI-chat scraping path was present behind a remote configuration flag that was off in initial testing and was not observed to be on at any point during testing, however Arnott demonstrated the capability of StayFocusd's scraping by swapping out the remote server for a locally controlled one which confirmed the AI-chat scraping capability could be remotely enabled.^[1] The category covers ChatGPT, Claude & Character.AI; Arnott names those three providers as the targets exfiltrated by Stylish.^[1]

SimilarWeb is the publisher of both the Stylish extension & an extension named after the company itself. Arnott documented both as Confirmed AI-chat exfiltrators, with the SimilarWeb-branded extension sending AI chats & full URLs even when the user is not interacting with it.^[1] Stylish has carried SimilarWeb's name as publisher since the company acquired the extension in January 2017; Robert Heaton documented in July 2018 that the post-acquisition version recorded every URL Stylish's two million users visited & sent those URLs to SimilarWeb's servers with a unique identifier.^[8] Arnott separately observed a contradiction between the Stylish privacy policy, which he says explicitly states the company sells personal data, & the Chrome Web Store listing's larger-font claim on the home page that it does not.^[4] As of May 2026 the Stylish Chrome Web Store listing names "Similarweb LTD" as the publisher, reports two million users & shows the Featured badge.^[9]

Sensor Tower is the publisher of StayFocusd & StayFree, both classified by Arnott as Capability for AI-chat exfiltration & both observed exfiltrating most URLs the user visits, with a US-centric whitelist for adult sites, US health sites & regex filters for US social security numbers & ZIP codes that does not protect users in other countries.^[1] StayFocusd's Chrome Web Store listing as of May 2026 names "Sensor Tower" as publisher, reports 700,000 users, shows the Featured badge & describes "Gen AI Analytics: Track and analyze your usage of AI chat platforms directly from the StayFocusd" as a feature while separately stating "StayFocusd does not collect personal data from the web pages you visit."^[10]

Big Star Labs LP is the publisher of Poper Blocker & CrxMouse. Arnott observed Poper Blocker exfiltrating URLs with character-mapping obfuscation & gated AI-chat scraping that activated after a 24-hour user-ID age, & observed CrxMouse exfiltrating URLs with base64 obfuscation & carrying the same remote-config infrastructure, however Arnott did not observe CrxMouse explicitly exfiltrating AI-chats during the period of testing.^[1] A name match exists with a 2018 AdGuard investigation by Andrey Meshkov, which documented a Delaware-registered "Big Star Labs" entity whose Chrome extensions & mobile apps were collecting browsing histories from more than 11 million users; AdGuard noted that "Every document that contains the company name is an image (in other words, you cannot simply Google their name), they use different accounts in extension stores, and the domain owners aren't publicized."^[11] Whether the 2026 "Big Star Labs LP" is the same legal entity is not established in cited sources; only the name match is.

Owned it Ltd is the publisher of WhatRuns, which Arnott documented as Confirmed for AI-chat exfiltration with no obfuscation applied to the outbound requests.^[1] The Chrome Web Store listing for WhatRuns as of May 2026 names "Ownedit Ltd" as the publisher, reports 400,000 users, shows the Featured badge & lists a developer address at 11 Brindley Place, Birmingham B1 2LP, United Kingdom.^[12]

Stylish was an open-source browser extension before SimilarWeb acquired it in January 2017. Robert Heaton's July 2, 2018 disclosure documented that the post-acquisition Stylish recorded every URL its users visited & sent that history to SimilarWeb together with a unique identifier; for users who had created a userstyles.org account, that identifier could be linked to a login cookie & through it to a real identity.^[8] Heaton found the exfiltrated payloads in Burp Suite as "a large number of strange-looking requests going to api.userstyles.org" carrying base64-encoded blobs.^[8] Heaton's post updated to note that "2 days after publication of this post, Stylish was removed from the Chrome and Firefox stores. 3 weeks later, a new version is back in the Firefox store."^[8] Arnott's February 2026 follow-up confirms that Stylish has returned to the Chrome Web Store carrying the Featured badge & is again exfiltrating the same categories of data.^[4] The community-maintained open-source fork of the original Stylish codebase, named Stylus, has roughly 900,000 users, does not phone home & caches styles on the user's local machine; Arnott recommends it as the direct replacement.^[4]

In December 2025, Koi Security disclosed that Urban VPN Proxy, a Chrome & Edge extension with more than seven million users, had been logging users' conversations with eight AI assistants since a July 9, 2025 version 5.5.0 update; the platforms intercepted were ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI) & Meta AI.^[2] Malwarebytes Labs corroborated the finding & noted that the extension sat in the Chrome Web Store with a 4.7-star rating & Google's Featured badge.^[2] The captured conversations were forwarded to Urban Cybersecurity's parent company, BiScience (B.I Science (2009) Ltd), which Malwarebytes characterised as a data broker collecting browsing history & device identifiers from millions of users.^[2] Malwarebytes reported that as of the date of its post, "Urban Proxy VPN and Urban Cybersecurity's other apps appeared to have been removed from the Chrome Web Store."^[2]

On December 30, 2025, OX Security researcher Moshe Siman Tov Bustan disclosed two extensions impersonating the legitimate AITOPIA extension with a combined 900,000 users. The two extensions, Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI & AI Sidebar with Deepseek, ChatGPT, Claude and more, were "found exfiltrating user conversations and all Chrome tab URLs to a remote C2 server every 30 minutes."^[13] One of the two, the ChatGPT-named extension with more than 600,000 users, carried Google's Featured badge at the time of the disclosure.^[13] Ravie Lakshmanan of The Hacker News reported on January 6, 2026 that the extensions were still available for download as of writing but that the ChatGPT-named one "has since been stripped of its 'Featured' badge."^[3] The Hacker News also reported that John Tuckner of Secure Annex had coined the term "Prompt Poaching" for the broader pattern of using browser extensions to capture AI conversations covertly, & had separately identified the SimilarWeb extension & SensorTower's StayFocusd as legitimate analytics-company extensions engaged in the same conduct.^[3] By January 7, 2026, SecurityWeek reported that both AITOPIA-impersonating extensions were no longer available in the Chrome Web Store.^[14]

Google introduced the Chrome Web Store Featured badge in April 2022, telling users that the badge marks extensions that "follow our technical best practices and meet a high standard of user experience and design" & that "Chrome team members manually evaluate each extension before it receives the badge."^[15] Every extension in Arnott's May 2026 list carried Featured, Verified or both at the time of his post.^[1] Arnott's published conclusion was that badges in practice correlate with public attention rather than with audited compliance. In the section The Chrome Web Store badge problem he wrote:

In our experience, Chrome only takes away badges when there's a public outcry. Which is why investigations like this matter.

^[1]

In the What can users do? section, he added:

Don't treat "Featured" or "Verified" as a safety signal. Every extension on this list has at least one.

^[1]

Arnott also documented a direct contradiction between the privacy disclosures of the Stylish extension & its Chrome Web Store listing. The Stylish privacy policy, per his reading, explicitly states the publisher sells personal data; the Chrome Web Store listing's larger-font homepage text states that the publisher does not sell personal data; & the Chrome Web Store's approved-use-cases policy itself prohibits the sale of user data.^[4]

The data leaving the browser in these cases falls into three categories: the text of the user's AI chatbot conversations (the prompts the user typed & the chatbot's replies), the full URL of every page the user visits including search queries & any tokens embedded in URLs, & a persistent unique identifier that lets the receiving company link those records across sessions.^[1][4] Heaton's 2018 analysis of the same data category at SimilarWeb gave the worked examples that still apply: single-use password-reset links, time-limited authentication tokens for medical records & Google search-result URLs are all captured because they live inside the URL the extension sees.^[8] Arnott extends the harm analysis to AI chat content, with the worked example of a user typing search terms about something covered by a non-disclosure agreement or a corporate spearphishing target list being built from a captured record of which web-based software a target uses.^[4]

For non-technical users, the practical mitigations documented in the cited sources are: audit installed extensions & remove anything not actively used, since the permissions persist after install; do not treat the Chrome Web Store "Featured" or "Verified" badges as safety signals;^[1] & for users of Stylish specifically, switch to the open-source fork Stylus, which caches styles locally on the user's machine & does not phone home.^[4] For organisations, Tuckner's summary in The Hacker News is the operational frame: "It is clear prompt poaching has arrived to capture your most sensitive conversations and browser extensions are the exploit vector."^[3]

• Chrome Web Store
• Data broker
• Right to repair
• Sensor Tower
• SimilarWeb
• Browser extension data harvesting