Security
A popular Chrome VPN extension, FreeVPN.One, is under scrutiny after researchers alleged it began secretly taking screenshots of users’ browsing activity and transmitting them to a remote server. Google has yet to remove the extension, which has more than 100,000 installations.
Cybersecurity company Koi Security said the extension, previously marketed as a privacy tool, started capturing screenshots shortly after pages loaded and uploading them without user consent. The behavior was introduced in July after earlier updates requested expanded permissions, including access to all sites and the ability to inject scripts.
“FreeVPN.One shows how a privacy branding can be flipped into a trap,” said Lotan Sery, a researcher at Koi Security. “This case highlights serious gaps in browser marketplace security, despite automated scans and human reviews that are supposed to detect malicious behavior.”
When approached for comment, the developer of FreeVPN.One said the extension complies with Chrome Web Store policies and that any screenshot activity is disclosed in its privacy policy. The developer added that the images are encrypted and used only for background scanning when a website appears suspicious.
Koi researchers disputed that explanation, presenting evidence that screenshots were captured even on trusted sites, including Google’s own pages. They said the images were initially transmitted unencrypted before later being obfuscated.
The extension’s apparent shift in behavior raises questions about oversight on the Chrome Web Store, which hosts thousands of extensions. Google’s policies prohibit developers from using user data for purposes unrelated to an extension’s core functionality. However, FreeVPN.One’s product description refers to an “AI Threat Detection” feature that “visually scans websites,” a phrasing that researchers say masks its true activity.
The warning comes as demand for VPNs rises, partly fueled by new online safety rules in the United Kingdom requiring age verification on certain websites. Privacy advocates warn that malicious tools disguised as VPNs could put users at greater risk.
Cybersecurity company Koi Security said the extension, previously marketed as a privacy tool, started capturing screenshots shortly after pages loaded and uploading them without user consent. The behavior was introduced in July after earlier updates requested expanded permissions, including access to all sites and the ability to inject scripts.
“FreeVPN.One shows how a privacy branding can be flipped into a trap,” said Lotan Sery, a researcher at Koi Security. “This case highlights serious gaps in browser marketplace security, despite automated scans and human reviews that are supposed to detect malicious behavior.”
When approached for comment, the developer of FreeVPN.One said the extension complies with Chrome Web Store policies and that any screenshot activity is disclosed in its privacy policy. The developer added that the images are encrypted and used only for background scanning when a website appears suspicious.
Koi researchers disputed that explanation, presenting evidence that screenshots were captured even on trusted sites, including Google’s own pages. They said the images were initially transmitted unencrypted before later being obfuscated.
The extension’s apparent shift in behavior raises questions about oversight on the Chrome Web Store, which hosts thousands of extensions. Google’s policies prohibit developers from using user data for purposes unrelated to an extension’s core functionality. However, FreeVPN.One’s product description refers to an “AI Threat Detection” feature that “visually scans websites,” a phrasing that researchers say masks its true activity.
The warning comes as demand for VPNs rises, partly fueled by new online safety rules in the United Kingdom requiring age verification on certain websites. Privacy advocates warn that malicious tools disguised as VPNs could put users at greater risk.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
