AI in Product, Engineering, and Data
Apple will reject your iPhone app for one shady permission. Google Chrome will “Feature” a browser extension that watches your AI chats.
A week ago I was talking with a COO at a regional insurance brokerage. They have a clean mobile security story, but their team does all the real work in the browser now - quoting, claims notes, customer emails, and a lot of “sanity checks” in ChatGPT (OpenAI) and Claude (Anthropic).
On December 15, Koi published a teardown of Urban VPN Proxy (Urban Cyber Security), a Chrome and Edge extension with over 6 million installs and a Google “Featured” badge. Their finding was brutal: the extension injects scripts into ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, Grok (xAI), Meta AI, DeepSeek AI and more, then captures prompts and responses and ships them out. It was added in a silent auto-update starting July 9, 2025, and there is no real off switch - uninstall is the only stop.
Zoom out and the scary part for non-tech companies is not “AI risk”. It is third-party risk you never procured. A browser extension is effectively a vendor that can change its behavior overnight.
This makes me wonder how many “AI policies” ignore the one place the data actually flows - your browser.