PromptSnatcher — Chrome Ad-Blockers Secretly Intercepting AI Chats
AI relevance: Two Chrome ad-blocker extensions with over 100,000 combined users have been silently intercepting and exfiltrating full AI conversation histories from eight major LLM platforms — a textbook case of prompt poaching via supply-chain compromise in browser extension ecosystems.
What happened
- Security researcher Jean-Marie R. published the PromptSnatcher report, documenting two Chrome Web Store extensions — "Smart Adblocker" (90K users, published Oct 2022) and "Adblock for Browser" (10K users, published Aug 2023) — that ship a custom interception engine alongside legitimate ad-blocking functionality.
- The extensions use public filter lists (EasyList, IDCAC) as functional cover while running an undisclosed telemetry channel that captures non-public AI conversations, model usage patterns, and account-tier metadata.
- Targeted platforms include ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, xAI Grok, and Meta AI — essentially every major consumer and enterprise AI chat surface.
- The extensions have been live for years, strongly suggesting the AI data exfiltration was introduced via software updates to an initially clean codebase — a classic bait-and-switch pattern.
- Data is transmitted to operator-controlled infrastructure with only a generic "Enhanced Protection" consent string, not specific disclosure of AI conversation interception.
- This attack class — now called prompt poaching — has been growing: browser extensions, both legitimate and malicious, have been observed stealthily capturing AI chats under the pretext of Safe Browsing or traffic analytics for months.
- The report coincides with a separate campaign documented by Aikido Security: 15 malicious JetBrains Marketplace plugins that exfiltrated AI provider API keys, with over 25,000 downloads each on two of the plugins.
- Both campaigns share a pattern: embedding AI credential theft inside tools that developers and knowledge workers already trust and use daily.
Why it matters
AI conversations contain some of the most sensitive data in any organization — strategic plans, proprietary code, legal questions, HR discussions, and personal information. Unlike traditional browsing data, AI chat logs often include both the user's input and the model's response, creating a complete record of reasoning that an attacker can use to understand decision-making processes or craft targeted social engineering.
The bait-and-switch update pattern makes this especially dangerous. Users who installed a legitimate ad-blocker years ago are now unknowingly running AI surveillance software. Extension permission models don't differentiate between ad-blocking and AI conversation interception — once you grant "read all data on all pages," the extension can do both.
What to do
- Audit installed extensions immediately. Remove "Smart Adblocker" (ID:
iojpcjjdfhlcbgjnpngcmaojmlokmeii) and "Adblock for Browser" (ID:jcbjcocinigpbgfpnhlpagidbmlngnnn) if present. - Review extension permissions. Any ad-blocker that requests access to all website data should be treated with suspicion. Prefer extensions with host-specific permissions.
- Lock down extension installation in enterprise environments via Chrome Enterprise policies. Only allow-list extensions that have undergone security review.
- Treat AI chat data as sensitive. Apply DLP policies to AI platform URLs the same way you would for internal wikis or document stores.
- Monitor for prompt poaching indicators. Unusual outbound data volumes to unknown domains from browser processes, especially from extensions that were recently updated with new capabilities.