Researchers at Koi Security recently reported that a popular and verified Chrome VPN extension was secretly capturing screenshots of users’ browsing activity and transmitting them to remote servers, all without user knowledge or consent.
Most people install a VPN to enhance their privacy and security. When a tool is recommended, verified, and featured prominently in the browser store with over 100,000 installs, it seems like a safe choice. But as these findings shows, appearances can be dangerously deceiving.
Silent Shots
Behind its friendly interface, the FreeVPN,One VPN extension wasn’t keeping your data private. Findings showed it was silently capturing screenshots of everything you did online and sending them back to its servers without the user’s knowledge.
Once installed, it would quietly inject code into every website you visited. Seconds after each page loaded, the extension would snap a screenshot of your screen
This could have included anything you happened to have open, from work documents and emails, to private photos or banking details. These screenshots were then bundled with your page URL, tab ID, and a unique user ID, and sent to a server controlled by the developer.
No pop-up, warning, or notice in the UI (user interface) to indicate that this was happening. It’s privacy policy also stated that it would not collect or use your data. These background captures were enabled by default for all users. Even if screenshots were only briefly analyzed, as claimed, there’s no way to verify what happens once your private data leaves your device.
The extension did have a feature called AI Threat Detection which would legitimately take a screenshot for security analysis. However, the extension was already taking many more screenshots automatically in the background, with or without your interaction.
Excessive Permissions and Privacy Risks
The FreeVPN,One tool requested permissions that are common for VPNs like proxy and storage. But it also asked for others that raised red flags—such as access to every website you visit (), the ability to capture your browser tabs, and permission to run extra scripts on pages.
These special permissions allowed the extension to inject itself everywhere you went online, take screenshots without your knowledge, and send them to a third-party server. This kind of access means the extension could capture passwords, messages, financial data, or any other sensitive information visible on your screen.
Per the findings’ timeline, it was updated over time to capture content, transfer data, then encrypt in-transit data.
Despite Chrome’s security checks such as automated scans, human reviews, and monitoring for malicious code, FreeVPN,One managed to slip through.
When asked, the developer claimed that the automatic screenshots were for “background scanning” and should only trigger on suspicious sites, but researchers found screenshots being taken on legitimate services like Google Sheets and Google Photos.
This incident is a clear reminder that even browser extensions with high install counts, positive reviews, or official-looking badges can pose serious privacy risks. When utilizing extensions, review permissions carefully. If an extension asks for access to all websites or permissions unrelated to its main function, think twice. Also regularly review and remove any that are unnecessary or suspicious.
Stay informed, stay secure, and always be vigilant about what you install.
For a deeper technical dive into the incident, including indicators of compromise and detailed research, check out the full report from Koi Security on their official blog.
Leave a Reply