A widely-installed Chrome extension marketed as a free VPN — FreeVPN.One — has been exposed for secretly taking screenshots of users’ browsing sessions and uploading them to an external server (Free Chrome). The discovery, reported by security researchers and covered across major tech outlets, turns a privacy tool into a surveillance risk and raises urgent questions about extension vetting and permissions in browser stores.
What happened — the core findings
Security firm Koi Security analysed FreeVPN.One and found that the extension invoked browser screenshot APIs (capturing the visible tab) roughly 1.1 seconds after page load, then transmitted images plus metadata (URLs, tab IDs, device info, geolocation) to a remote server apparently controlled by an anonymous developer. The extension had over 100,000 installs and even displayed a “Featured” badge on the Chrome Web Store — factors that made the discovery particularly alarming.
Koi’s report found the feature hid behind an “AI Threat Detection” claim in the extension UI and privacy policy, but screenshots were being taken indiscriminately — including on banking, email and medical sites — rather than only on suspicious domains as the extension suggested. Attempts by researchers to engage the developer received minimal or evasive responses; some identifying information was removed in later updates.
Why this is dangerous
Screenshots can capture sensitive, unredacted information: passwords, 2FA codes, bank account numbers, private messages and photos. Unlike ephemeral telemetry, images can be stored, searched, and exploited later — creating a massive privacy and security liability for affected users and enterprises whose staff may have used the extension. This is not a minor overreach of permissions; it’s a direct violation of user trust and reasonable expectations for a “privacy” tool.
How the extension abused browser features
The extension leveraged broad permissions (tabs, scripting and capture APIs) to inject content scripts and call chrome.tabs.captureVisibleTab()-style functions. Because extensions run with elevated privileges inside the browser, developers can misuse these APIs to bypass normal page constraints and grab visible content without clear user consent. Koi’s analysis shows the code triggered screenshot capture automatically — not only when users activated an “AI” feature.
Response & ecosystem fallout
Coverage by Windows Central, Tom’s Hardware, TechRadar, CSO and others led to immediate user advisories: security outlets urged users to uninstall FreeVPN.One, scan devices for compromise, and change passwords for sites visited while the extension was enabled. Chrome’s badge and featured status drew criticism — many observers called the Web Store’s vetting process into question. Some enterprise security teams blocked the extension at network and endpoint levels.
At the time of reporting, the extension remained available in the Chrome Web Store despite public outcry, highlighting gaps in automated and manual review processes that allowed a high-risk extension to reach many users. Security experts called for faster takedowns and improved heuristics to detect exfiltration behaviours.
Practical advice for users (what to do now)
Uninstall suspicious extensions immediately. If you have FreeVPN.One or any unfamiliar VPN extension installed, remove it.
Scan your device. Run up-to-date antivirus/anti-malware and browser-security scans to detect possible persistence or additional malicious artifacts.
Change passwords and enable 2FA. For any accounts accessed while the extension was active, reset passwords and enable multi-factor authentication. Treat those sessions as potentially compromised.
Audit installed extensions. Regularly remove unused extensions and scrutinize permissions — especially those that request tab, capture or broad scripting access.
Prefer vetted apps from reputable vendors. Free VPN extensions with large user bases and Google’s badges can still be risky; prefer standalone desktop/mobile VPN apps from established providers and read independent security reviews.
Broader lessons for browser stores and enterprises
This incident is a reminder that browser extension platforms are a high-risk attack surface. Automated badges and install counts are not substitutes for rigorous security review. Enterprises should consider blocking extensions at policy level or using allowlists, and browser vendors must harden review processes and crash-test extensions for suspicious data exfiltration patterns.
learn more about Major VPN Adds Crypto-Wallet Checker to Curb Scams
Conclusion
A tool marketed as privacy software became a privacy threat. The FreeVPN.One case shows how powerful browser extension APIs can be misused and why users — and platforms — must remain vigilant. Uninstall suspicious extensions, take the remediation steps above, and treat any unexpected or intrusive browser behaviour as potentially serious. Security researchers and platform operators will need to push for faster detection and removal mechanisms to prevent similar abuses in future.
Key sources & verification
Windows Central investigation and report. (Windows Central)
TechRadar coverage and user advisories. (TechRadar)
CSO Online and Tom’s Hardware analyses. (CSO Online)
Koi Security technical findings summarized by multiple outlets. (Medium)
