Chrome VPN Extension Spies on Users and Takes Screenshots

Red Dog Security

2 min read
Chrome VPN Extension Spies on Users and Takes Screenshots

Researchers at Koi Security have discovered that the popular Chrome extension FreeVPN.One has recently changed its behavior, secretly taking screenshots of users’ browsing activity and transmitting them to a remote server.

“The FreeVPN.One case illustrates how a product meant to protect privacy can turn into a trap,” the researchers wrote. “The extension’s developers have verified status, and it was even featured in Chrome Web Store recommendations. Although Chrome claims to check new versions of extensions with automated scanning, manual reviews, and ongoing monitoring, this case shows that dangerous extensions can bypass safeguards—revealing major gaps in extension security.”

At the time of the report’s release, FreeVPN.One remained available on the Chrome Web Store with more than 100,000 installations.

How the Extension Works

According to researchers, the extension began capturing screenshots after a July 2025 update. Roughly one second after each page load, a screenshot is taken and sent to a remote server. Initially, the data was transmitted in plain text, but a subsequent update introduced encryption.

Koi Security noted that before introducing this functionality, the developers had gradually expanded the extension’s permissions through smaller updates—gaining access to all websites and the ability to inject custom scripts. Around the same time, they also introduced an “AI-powered threat detection” feature.

Developer Response

When asked for comment by The Register, FreeVPN.One’s developers defended their practices:

  • They claimed the extension is “fully compliant with Chrome Web Store policies,” with screenshot functionality disclosed in the privacy policy.
  • They argued that all collected data is encrypted and handled according to “standard practices for browser extensions.”
  • They maintained a commitment to “transparency and user privacy.”

The developers further stated that screenshots are only taken as part of a background scanning feature and only when a domain appears “suspicious.” They insisted the screenshots are “not stored or used” but “briefly analyzed for potential threats.”

Researchers Push Back

Koi Security researchers disputed these claims, demonstrating that screenshots were taken continuously—including on trusted domains such as Google’s own services.

The product description mentions “advanced AI threat detection” that “constantly monitors visited sites and scans them visually if you visit a suspicious page.” However, nowhere does it clarify that “visual scanning” involves persistent screenshot capture and remote transmission—a function that most users would not expect from a VPN extension.

Read more