Cybersecurity researchers at Koi Security have uncovered a significant privacy violation in the popular FreeVPN.One Chrome extension, which has been secretly capturing screenshots of users’ web browsing activities and transmitting them to remote servers without consent. This discovery affects over 100,000 active users and highlights critical vulnerabilities in browser extension security protocols.
Technical Analysis of the Malicious Behavior
The investigation revealed that the extension automatically captures screenshots approximately one second after each webpage loads, creating a comprehensive record of users’ browsing activities. Initially, these screenshots were transmitted in unencrypted format, making the data breach even more severe. However, following subsequent updates, the developers implemented encryption mechanisms to obfuscate their surveillance activities.
The extension maintained its presence in the official Chrome Web Store throughout the investigation period, demonstrating how malicious actors can exploit trusted distribution channels. With more than 100,000 active installations, the scope of this privacy breach represents one of the more significant browser extension security incidents in recent months.
Evolution of the Malicious Extension
The transformation of FreeVPN.One into a surveillance tool began in July 2025 through a sophisticated privilege escalation campaign. The developers employed a gradual approach, releasing incremental updates that requested additional permissions without triggering automated security systems.
The permission escalation sequence included requests for:
• Access to all visited websites and web content
• Script injection capabilities across all domains
• Implementation of “AI-powered threat detection” features
This methodical approach allowed the malicious actors to bypass Chrome Web Store’s automated monitoring systems, which are designed to flag extensions that suddenly request extensive permissions or exhibit dramatic behavioral changes.
Developer Response and Contradictory Claims
When contacted by security researchers and journalists from The Register, the FreeVPN.one development team maintained that their extension “fully complies with Chrome Web Store policies” and claimed the screenshot functionality was disclosed in their privacy policy.
The developers defended their actions by stating that screenshots were only captured for “background scanning of suspicious domains” and emphasized that captured data was not permanently stored on their servers, but only analyzed for potential security threats.
Evidence Contradicts Official Statements
However, Koi Security researchers provided concrete evidence demonstrating that the extension captures screenshots continuously from all visited websites, including trusted domains like Google services. This comprehensive surveillance directly contradicts the developers’ claims about selective scanning of only suspicious websites.
Chrome Web Store Security Framework Failures
This incident exposes significant weaknesses in Google’s extension security infrastructure. Despite Chrome Web Store’s multi-layered security approach, which theoretically includes automated code scanning, manual review processes, behavioral monitoring, and malicious code detection, these protective measures failed to prevent the distribution of a privacy-invasive extension with verified developer status.
The failure is particularly concerning given that the extension maintained its legitimate appearance while conducting unauthorized surveillance activities, suggesting that current security protocols may be inadequate for detecting sophisticated social engineering attacks on browser extension ecosystems.
Mitigation Strategies and User Protection
Users should immediately implement several protective measures to safeguard their browsing privacy. Regular auditing of installed browser extensions is essential, particularly focusing on recently granted permissions and unusual behavior patterns. When extensions request additional permissions through updates, users should carefully evaluate whether these requests align with the extension’s stated functionality.
Security experts recommend prioritizing extensions from established developers with transparent development histories and verified track records in the cybersecurity community. Additionally, users should consider implementing browser security extensions that monitor and alert about suspicious extension behavior.
The FreeVPN.One incident serves as a critical reminder that even popular, well-rated browser extensions can pose serious privacy risks. This case underscores the urgent need for enhanced security measures in browser extension ecosystems and reinforces the importance of user vigilance in protecting personal data from unauthorized surveillance activities.
