Security boffins at Koi Security have warned of a shift in behavior of a popular Chrome VPN extension, FreeVPN.One, which recently appears to have begun snaffling screenshots of users’ page activity and transmitting them to a remote server without their knowledge – and Google has yet to take it down.
“FreeVPN.One shows how a privacy branding can be flipped into a trap,” Koi’s Lotan Sery writes in the company’s research report. “They’ve earned verified status and even featured placement on the Chrome Web Store. And while Chrome claims to perform security checks on new versions of extensions, using automated scans, human reviews, and monitoring for malicious code or behavior changes — the reality is that these safeguards failed. This case shows that even with those protections in place, dangerous extensions can slip through, highlighting serious gaps in security across major browser marketplaces.”
The report into the FreeVPN.One extension comes amid a surge of interest in VPNs following the introduction of the UK’s Online Safety Act. The Act requires certain websites – though not necessarily just the ones you’re thinking of – to verify the age of their visitors. If Children’s Commissioner Dame Rachel de Souza has her way, however, at least kids won’t fall foul of malicious VPNs.
Koi’s research found that the extension, which had more than 100,000 verified installations at the time of publication, is silently capturing screenshots a little over a second after each page load before transmitting them to a remote server – initially in the clear, then in a later update obfuscated with encryption. The behavior, the researchers claim, was introduced in July – after laying the groundwork with smaller updates which requested additional permissions to access all sites and inject custom scripts.
The Register reached out to the developer of FreeVPN.one, who insisted that FreeVPN.one’s Chrome extension “is fully compliant with Chrome Web Store policies, and any screenshot functionality is disclosed in our privacy policy,” sending us a link to the page here. They added: “All data collected is encrypted and handled according to standard practices for browser extensions. We are committed to transparency and user privacy and welcome readers to review our documentation for further details.”
The dev offered Koi’s researchers a range of excuses including that screenshots would only trigger “if a domain appears suspicious” as part of a “background scanning” feature. The researchers refuted this with evidence of activation on well-trusted domains including Google’s own, and that screenshots “are not being stored or used” but “only analyzed briefly for potential threats” – which sounds very much like a use to us.
As to how such behavior made its way into the Chrome Web Store, which includes a get-out clause in its terms of service stating that “You agree that Google is not responsible for any Product on the Web Store that originates from a source other than Google,” the secret appears to lie in patience. The extension has been around for years, and appears to have been doing exactly what it promised for most of that time – only appearing to switch to sneakily exfiltrating screenshots more recently.
That shift would seem to make it eligible for removal from the Chrome Web Store: a developer declaration states that users’ data is “not being used or transferred for purposes that are unrelated to the item’s core functionality.” Hidden below the fold in the product overview, however, is mention of “advanced AI Threat Detection” with a “passive mode” to which is “constantly monitoring the websites you are viewing and scanning them visually if you visit a suspicious page” – matching the developer’s claims as to the reason for taking screenshots, but without stating that “scanning them visually” means “sending pictures of everything you do to a remote server without notification or any way to opt out.”
The Register reached out to Google to ask whether it was investigating Koi’s report on the extension, and whether it intends to de-list it while it does so; the company had not replied at the time of publication, but The Reg notes that the extension remained active and available for download at the time of publication. ®
Source link
