Researchers have uncovered that the Chrome extension FreeVPN.One, installed over 100,000 times and even labeled as “featured” in the Chrome Web Store, was secretly tracking its users. The extension took screenshots just after webpages loaded, capturing URLs, tab IDs, and unique user identifiers, which were then transmitted to a remote server. In addition, it collected geolocation and device data, raising serious privacy concerns.
Although the developer claimed the screenshots were part of a security feature to detect malicious domains, investigations showed that images were taken indiscriminately—even on safe services like Google Sheets and Google Photos. Updates earlier this year enabled the extension to access every site visited, and by July, the hidden screenshot and tracking functions were fully active. Encryption methods such as AES-256-GCM with RSA wrapping were also introduced, making detection more difficult.
The extension’s privacy policy vaguely referenced an AI-based scanning function, but offered no justification for such broad surveillance. Researchers noted that the developer failed to provide company information or credentials, with only a simple Wix site linked to the project. Despite these revelations, FreeVPN.One remains available in the Chrome Web Store, still bearing its “featured” badge and holding a 3.7-star rating, though reviews now contain many warnings.
This case highlights the hidden dangers of free VPN browser extensions, which may compromise rather than protect user privacy. Experts warn that users are safer choosing reputable, paid VPN services instead of free options that can secretly harvest sensitive data.
