FreeVPN.One, a Chrome VPN extension with more than 100,000 verified installations, began silently capturing screenshots roughly one second after each page load and sending them to a remote server. Initial transmissions were unencrypted; a later update obfuscated the data with encryption. The screenshot capability appeared after updates that requested broader permissions to access all sites and inject custom scripts. The extension retained verified status and featured placement on the Chrome Web Store despite Chrome’s automated scans, human reviews, and behavior monitoring, exposing gaps in browser marketplace security and raising privacy concerns.
They've earned verified status and even featured placement on the Chrome Web Store. And while Chrome claims to perform security checks on new versions of extensions, using automated scans, human reviews, and monitoring for malicious code or behavior changes - the reality is that these safeguards failed. This case shows that even with those protections in place, dangerous extensions can slip through, highlighting serious gaps in security across major browser marketplaces.
Koi's research found that the extension, which had more than 100,000 verified installations at the time of publication, is silently capturing screenshots a little over a second after each page load before transmitting them to a remote server - initially in the clear, then in a later update obfuscated with encryption. The behavior, the researchers claim, was introduced in July - after laying the groundwork with smaller updates which requested additional permissions to access all sites and inject custom scripts.
Collection
[
|
...
]