Popular Chrome VPN extension caught secretly spying on users — uninstall it right now

Tom's Guide

a day ago

A VPN is a common and recommended privacy tool when going online which is why many people download them as either apps for their computer or smartphone or as extensions for their browser of choice. However, not every VPN is trustworthy or even remains that way. Case in point, FreeVPN.One is a Chrome extension with 100,000 installs, a 3.8 star rating and even a verified badge. However, several recent updates have changed the status of the extension from safe to very suspicious.
As reported by Cybernews, researchers at Koi Security recently put out a report detailing their findings on the extension complete with a timeline that showed how it has shifted to spying on its users instead of protecting their privacy. This was done by taking screenshots of their displays and sending this data back to remote servers. When a webpage is loading, the extension will grab a screenshot in the background and then send it back to a server with additional details like the URL, tab ID number and a unique user identifier.
The report points out how screenshots can include sensitive and personal information like passwords, personal messages and banking details; sending these images to a third-party server is the exact opposite of what a privacy tool like a VPN is supposed to do for its users.
Additionally, the extension now collects and transmits other sensitive information like IP geolocation, device information and sends it encoded in Base64, or via AES-256-GCM encryption with an RSA key which hides the data in transit.
One of the features of the extension is 'Scan with AI Threat Detection' which is intended to upload screenshots and URLs when the user clicks a 'check URL' button, however, there is no indication to the user that the extension has been repeatedly grabbing screenshots in the background even when this feature is not being used.
These suspicious features were added recently and went live on July 17 of this year, which was right before strict age verification rules went into effect in the U.K.; many people in that area would be searching for VPNs after the rules went into place as a workaround.
VPN extensions need some permissions to operate on a user's system – usually proxy and storage permissions. However, FreeVPN.One required suspiciously more access including all URLs, tabs and scripting permissions. The researchers at Koi Security pointed out that this, in addition to the other issues the extension exhibited, opened the door to persistent surveillance of its users.
A developer is not named in either the privacy policy or the Terms of Service on the FreeVPN.One website, and their explanations to the security researchers about their findings do not match. According to the researchers: 'The [developer] explained that the automatic screenshot capture is part of a Background Scanning feature, which should only trigger if a domain appears suspicious. In practice, we saw screenshots being captured on trusted services like Google Sheets and Google Photos, domains that cannot be considered suspicious' and the developer ceased communications when asked to provide proof of legitimacy.
If you've installed this VPN extension, you should uninstall it and run a scan using one of the best antivirus software solutions. Likewise, you're going to want to check your browser extensions to ensure that it's removed and then check your screenshots folder as well.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.