LLMReaper PoC exfiltrates ChatGPT and Claude chats
Key insights
- LLMReaper uses standard browser extension permissions to silently read and exfiltrate AI conversations from ChatGPT, Claude, and Gemini via DOM access.
- Prior malicious Chrome extensions with 900,000 combined downloads were already harvesting AI chat data before this proof-of-concept was published.
- The attack is indistinguishable from legitimate AI productivity extensions at install time, requiring no elevated permissions or user interaction.
Why this matters
Browser extensions represent an uncontrolled attack surface that bypasses every server-side security control LLM providers have built, exposing enterprise AI deployments regardless of model-level safeguards. The 900,000-download precedent shows real campaigns have already monetized AI conversation data before LLMReaper was published, confirming active adversarial interest in this attack class. For founders building AI-native tools and enterprises adopting LLMs in sensitive workflows, browser policy and extension vetting must now be treated as core components of the AI security stack, not just routine endpoint hygiene.
Summary
A security researcher has shown that any browser extension can silently steal AI conversations from ChatGPT, Claude, and Gemini without unusual permission requests.
Lohitya Pushkar published LLMReaper, a PoC that reads inputs and responses from the DOM of major LLM interfaces. It uses only standard permissions that legitimate AI productivity tools already request, making malicious versions indistinguishable at install time.
Essentially: (ChatGPT, Claude, Gemini) share this browser-layer attack surface.
- Malicious Chrome extensions with 900K combined downloads were already harvesting AI conversations before this disclosure.
- No elevated permissions are needed; the attack reuses what benign extensions already have.
- Enterprise browser controls cannot reliably detect this threat class at install time.
The disclosure reframes AI chat security as a browser trust problem, arriving as sensitive enterprise workflows increasingly move to LLM interfaces.
Potential risks and opportunities
Risks
- Enterprises running sensitive legal, financial, or HR workflows on ChatGPT or Claude face undisclosed data exposure if employees have any of the 900K-download malicious extensions already circulating still installed.
- Chrome Web Store and Firefox Add-ons face regulatory scrutiny and potential enforcement actions if AI conversation harvesting via extensions is confirmed at scale by platform audits.
- AI productivity extension developers face install dropoff and enterprise allowlist exclusions as IT teams tighten extension vetting policies in response to LLMReaper-style disclosures.
Opportunities
- Enterprise browser security vendors (Island, Talon, LayerX) can position their products as the control plane that blocks DOM-scraping extensions from accessing AI chat surfaces.
- Extension vetting and supply-chain security services (Spin.AI, CRXaminer) gain direct sales leverage as IT teams audit installed extensions across their LLM-using employee base.
- LLM providers (Anthropic, OpenAI, Google) could differentiate enterprise offerings by shipping native browser policies or sandboxed web app builds that structurally prevent third-party DOM access to chat sessions.
What we don't know yet
- Whether Anthropic, OpenAI, or Google have issued technical mitigations or guidance in response to the LLMReaper disclosure.
- Which specific Chrome extensions were involved in the 900,000-download harvesting campaigns and whether any remain live in the Chrome Web Store today.
- Whether enterprise browser management platforms such as Chrome Enterprise or CrowdStrike Falcon for Browsers have developed detection signatures for DOM-scraping extension behavior targeting LLM interfaces.
Originally reported by thewhiteh4t.github.io
Read the original article →Original headline: LLMReaper: Security Researcher Discloses DOM-Based AI Conversation Exfiltration PoC Targeting ChatGPT, Claude, and Gemini via Browser Extensions