Free VPN for Chrome unauthorized collect users data

Experts from Koi have discovered that the popular FreeVPN.One Chrome extension was secretly taking screenshots of visited pages and collecting user location data.

The extension was installed over 100,000 times, and in the Chrome Web Store it had the Featured mark from Google — a sign of compliance with recommended security standards. However, an analysis of the code showed that FreeVPN.One automatically captured the screen 1.1 seconds after each page was loaded. Along with the URL and tab ID, the images were sent to the developer’s server.

The VPN officially claims to have the Scan with AI Threat Detection function, where the privacy policy does mention sending “selective screenshots.” But, as it turned out, all pages in a row were captured, even without activating this function. Moreover, since April, the extension has started requesting more and more access rights, and since July 17, it has started recording geolocation and transmitting device characteristics. To mask the transfer of data, the developer added AES-256-GCM encryption and a separate subdomain.

The author of the extension initially responded to the researchers’ questions by claiming that screenshots were needed to check “suspicious sites.” But he refused to prove the legitimacy of his company and soon stopped communicating. The only known site of the developer turned out to be made on a free Wix template.

Despite the exposure, FreeVPN.One is still available in the Chrome Web Store. Its rating remains at 3.7 stars, but the comments are already dominated by negative reviews, where users refer to the Koi investigation.