Prompt Poaching: when browser extensions read your AI chats

In December 2025, researchers found that popular Chrome extensions — installed by millions — were silently harvesting AI conversations and selling them to data brokers. This is the incident that led to Secret Sanitizer being built.

What happened

In late 2025, security researchers discovered that a number of Chrome extensions were quietly capturing the full text of users' AI conversations — prompts and responses — from sites like ChatGPT, and shipping that data off to third-party servers, where it was packaged and sold to data brokers. The technique earned a name: Prompt Poaching.

What made it alarming wasn't the technique — content-script data theft is an old trick. It was the scale and the trust signals. These weren't shady, zero-install extensions. Some had millions of users. Some carried badges that users reasonably interpret as a stamp of safety. They passed store review because their declared functionality was legitimate; the harvesting rode along underneath.

Why AI chats are the perfect target

Think about what people type into an AI assistant compared to a search box. Search queries are a few words. AI conversations are:

A year of someone's AI conversations is one of the most complete profiles of them that has ever existed in one place. To a data broker, that's premium inventory. To an attacker, the pasted credentials alone are a payday.

How the attack actually works

Browser extensions can request host permissions — the right to run JavaScript (a "content script") inside specific websites, or all of them. That's legitimate and necessary: it's how ad blockers block ads and how password managers fill forms. But a content script running in your ChatGPT tab can read everything on that page, including:

From there, exfiltration is one fetch() call to the attacker's server. Nothing about it looks unusual to you — the page works perfectly. The only reliable defenses are the permissions you grant and the code the extension actually contains.

How to audit your own browser (10 minutes)

  1. Open chrome://extensions and remove what you don't use. Every extension is standing attack surface; unused ones are pure downside.
  2. Review site access for what remains. Click Details on each extension and check "Site access." Anything with access to all sites — or specifically to your AI chat domains — deserves scrutiny. Where possible, switch access to "On click."
  3. Be suspicious of ownership changes. A common pattern: a legitimate extension gets sold, and the new owner ships a malicious update to an installed base that trusted the old one. If an extension you rely on changes hands, re-evaluate it.
  4. Prefer open source you can read. An extension whose exact store-published code is on GitHub can be audited by anyone. Closed-source extensions that handle sensitive pages ask you to take their word for it.
  5. Treat store badges as one signal, not a verdict. Featured badges and install counts reflect review at a point in time. The Prompt Poaching extensions had both.
Rule of thumb: any extension that can read your AI chat pages can read everything you and the AI say to each other. Grant that power only to code you can verify — or code that verifiably can't phone home.

Why this incident shaped Secret Sanitizer

This is the incident that led me to build Secret Sanitizer — I tell the full story in Why I built Secret Sanitizer. The short version: Prompt Poaching and accidental key-pasting look like different problems, but they share one root: your private data leaving your machine without your knowledge. One is theft by an extension; the other is a self-inflicted paste. The fix for both is the same architecture — process everything locally and give the data no path out.

That's why Secret Sanitizer is built the way it is:

An extension that guards your secrets must be held to a higher standard than the extensions that caused the problem. "Trust us" isn't that standard — "verify it yourself" is.

Guard the paste, locally

Secret Sanitizer masks API keys, tokens, and credentials before they reach ChatGPT, Claude, Gemini, or Grok — with zero network calls, ever. Free and open source.

Add to Chrome — Free

← All posts