FreeVPN.one Chrome extension stole user screenshots

A Chrome extension named FreeVPN.One, which had over 100,000 installations and a “Featured” badge in the Chrome Web Store, was discovered by Koi Security to be secretly taking screenshots of users’ web activity.

The extension has since been removed, but the incident reveals significant gaps in the vetting process for browser add-ons.

How the FreeVPN.one Chrome extension spied on users

Instead of only providing a VPN service, FreeVPN.One was designed to capture screenshots of every website a user visited. This included sensitive information like bank login details, personal photos, and confidential documents, which were then sent to a server controlled by the developer.

The extension masked its surveillance by incrementally adding new permissions under the justification of an “AI Threat Detection” feature. This allowed it to gain extensive access to user browsing data through Chrome’s “ and scripting permissions without raising immediate alarm. What was presented as a security feature was actually a tool for constant monitoring.

Developer’s claims contradicted by evidence

Koi Security’s investigation confirmed that the extension captured screenshots even on trusted websites, such as Google Photos and Google Sheets. This finding directly refuted the developer’s claim that the feature was only active on “suspicious domains.”

When confronted with the evidence, the developer asserted that the screenshots were part of a “background scanning” feature and were not stored. However, he could not provide any proof of legitimacy, such as a company profile or GitHub repository, and eventually stopped responding to inquiries.

Warning signs of a malicious extension

Several red flags could have alerted users to the risks of FreeVPN.One:

• Awkward grammar and poorly written descriptions in its store listing.
• The developer’s contact information led only to a generic Wix starter page.
• The promise of a completely free, unlimited VPN service with no clear business model to sustain it.

The fact that a malicious extension could operate for months with a “Featured” label raises questions about the effectiveness of the Chrome Web Store’s review process.

How to protect yourself if you installed the extension

If you installed FreeVPN.One or a similar suspicious extension, follow these steps to secure your information:

• Uninstall the extension immediately: Navigate to Chrome’s extensions management page and remove it.
• Switch to a trusted VPN: Choose a reputable provider that undergoes independent audits and has transparent privacy policies.
• Run an antivirus scan: Use robust antivirus software to scan your system for any malware that may have been installed.
• Change your passwords: Since anything you typed or viewed could have been compromised, change passwords for all important accounts, preferably using a password manager.
• Consider a data removal service: These services can find your personal information on data broker sites and request its removal to limit how it can be used by scammers.

Always review the permissions an extension requests before installing it. A VPN extension asking for permission to access “all websites” is a massive red flag.

Featured image credit