Free VPN for Chrome spied on users: FreeVPN.One leaked page screenshots and geolocation

As the saying goes, there is only free cheese in a mousetrap. It seems that this old truth has received new confirmation in the IT industry. Security experts at Koi discovered is a popular VPN extension for of the Chrome browser, which secretly took screenshots of visited pages and collected data on the location of users.

The problematic extension is called FreeVPN.One. It has been downloaded more than 100 thousand times from the Chrome Web Store. Moreover, it received a Featured mark from Google, which should mean compliance with recommended security practices, reports Sweclockers.

After analyzing FreeVPN.One’s code, the researchers found that the extension automatically took a screenshot exactly 1.1 seconds after any page was loaded. The screenshot was sent to the developer’s server along with the URL, tab ID, and unique user ID.

Officially, the VPN has a Scan with AI Threat Detection feature, and the privacy policy states that the tool may transmit selective screenshots and page addresses to secure servers. However, as the Koi team found out, FreeVPN.One was taking screenshots of all pages in a row before the tool was launched — users didn’t even know about it.

Another problem is geolocation tracking. In recent months, VPNs have begun to transmit not only screenshots but also data on geolocation and device characteristics. The latest version of the extension uses AES-256-GCM encryption with RSA key wrapping. This makes it much more difficult to detect that the collected data is being sent to the server.

According to Koi, active spying began in April, when the updates changed permissions: the extension gained access to every site the user visited. Subsequent updates gradually expanded these rights, and, according to the researchers, the developer was testing how far it could go without arousing suspicion.

The key date is July 17. That’s when FreeVPN.One started taking screenshots, tracking location, and transmitting the collected data. The next update introduced encryption and a new subdomain for communicating with the server.

Koi contacted the sole developer of the extension. At first, he responded and denied the allegations. According to him, the automatic screenshots were supposedly part of a background check of websites and were launched only in case of suspicious domains. However, the researchers documented screenshots even from quite reliable services, including Google Sheets and Google Photos.

The developer stopped responding to requests for proof of legitimacy, such as a company profile, GitHub account, or LinkedIn page. The only known address that remains leads to a simple website created in Wix using a free template.

Despite the revelations, FreeVPN.One is still available in the Chrome Web Store. The extension has a rating of 3.7 stars, and the reviews page is now filled with outraged user comments referring to Koi’s investigation.

Even if we assume that the massive screenshots were an accidental mistake, the situation has already seriously undermined trust. The presence of the Featured icon on the extension is particularly alarming.

Source: pcgamer