What does SOWA Privacy do?

SOWA Privacy is a Chrome extension that detects and replaces sensitive data in AI prompts locally – in your browser – before the prompt reaches ChatGPT, Claude, Gemini, or any other AI tool.

Is SOWA Privacy free?

Yes. The Starter plan is free forever and includes 30+ regex patterns, basic NER detection, and TXT file scanning. Pro (4.99 EUR per month), Business (7.99 EUR per user per month), and Enterprise (custom) unlock additional features.

Which AI tools does SOWA Privacy work with?

SOWA Privacy works with ChatGPT, Claude, Gemini, Microsoft Copilot, Grok, Perplexity, HuggingFace Chat, and any self-hosted OpenAI-compatible interface.

Is SOWA Privacy GDPR compliant?

SOWA Privacy is designed for GDPR compliance. All detection runs locally in the browser, no prompt data is transmitted to SOWA servers, and the source code is open-source under MIT license for full auditability.

Does SOWA Privacy send my data to any server?

No. Detection runs entirely in your browser using local regex, ONNX-based NER models, and optionally local LLMs. Only the placeholder-replaced prompt is forwarded to the AI provider you choose.

Security May 25, 2026 5 min read

When the Sandbox Leaks: A Hidden Outbound Channel in the World's Biggest AI Chatbot

Lennart du Hamél Founder

Two years of AI-privacy advice focused on what you type in. A February 2026 finding from Check Point Research is a reminder that data can also slip out the back – through a channel the sandbox of one of the world’s biggest AI chatbots was built to block.

For two years, the standard warning about the big AI chatbots and sensitive data has been about input: be careful what you paste in. A February 2026 disclosure from Check Point Research flips the problem to the other side of the conversation – how data can quietly get out.

A sandbox with a side door

The AI chatbot at the center of the finding can run code in a sandboxed runtime to crunch numbers, parse files, and build charts. That runtime is deliberately walled off: direct connections to the open internet are blocked, so a prompt that tries to ship your data to some server simply fails. The safeguard is real.

What the researchers showed is that the wall had a gap. The sandbox still needs to resolve domain names, and DNS lookups leave the isolated environment by design. By packing data into the subdomain of a lookup – turning something like secret-data.attacker.example into a query – information could be smuggled past the boundary one request at a time. The resolver infrastructure that every network relies on did the carrying.

A two-way channel, not just a leak

The sharp part is that the channel ran in both directions. The attacker’s name server could answer those lookups, and the answers became instructions flowing back into the runtime. An isolated sandbox effectively gained a slow, covert command line – enough to exfiltrate data and to steer what happened next.

Custom assistants raised the stakes

The technique was most dangerous inside custom assistants. A typical prompt-injection attack needs the victim to paste something hostile. A pre-built assistant, by contrast, ships with its own baked-in instructions, so the malicious logic can travel with the assistant itself. The user just has a conversation; the exfiltration rides along invisibly.

The proof of concept made this concrete: a seemingly helpful “personal doctor” assistant that pulled names and medical findings out of an uploaded lab report and pushed them out over the hidden channel, with no warning to the person using it.

What was at risk

Raw messages and the contents of uploaded documents.
Model-generated summaries and analysis – the distilled, often more sensitive version of your data.
Health findings, financial conclusions, and the personal identifiers buried in everyday files.

The vendor’s response

The vendor said it had identified the issue internally and rolled out a fix, fully deployed on 20 February 2026. There is no indication the channel is still open. The lesson, though, outlives the patch.

The lesson: minimize what you send

Sandboxes, allow-lists, and outbound filters are valuable, but they are perimeter defenses – and perimeters are exactly what determined research keeps finding ways around. This was a sanctioned, mainstream AI product with strong isolation, and data still found an exit.

The most durable defense doesn’t depend on the provider’s perimeter holding. It depends on the sensitive data never being in the prompt to begin with. If a name, an IBAN, or a patient ID is replaced with a neutral placeholder before the prompt leaves your browser, a covert channel on the other side carries placeholders – not your secrets.

That is the principle SOWA Privacy is built on. Detection and substitution happen locally, on the device, so the model receives a sanitized version of your input. It is not a replacement for a vendor’s runtime security – it is the layer that means a failure of that runtime doesn’t become a leak of your data.

What the AI industry should take from this

Exfiltration is not only an input problem. As assistants gain the ability to browse, run code, and call tools, the outbound path has to become a first-class part of every AI vendor’s threat model.
Isolation boundaries leak. DNS and other “necessary” pathways will keep turning into escape routes, so perimeter controls cannot be the last line of defense for anyone building with AI.
Capability travels with the assistant. Features like custom, shareable assistants let logic ride along without any suspicious paste – a pattern every platform extending AI with plugins or agents will have to design around.
The durable fix is systemic: minimize sensitive data at the source. If the real data never enters the prompt, a downstream leak – at any provider – carries nothing worth stealing.

The provider closed this door quickly. But every model that can browse, run code, or call tools widens the surface where the next one could open. The safest assumption is that whatever you hand an AI may travel further than you intended – so hand it as little of the real thing as the task allows.

← Back to all articles How SOWA Privacy prevents this →