Free VPN for Chrome Caught Spying: FreeVPN.One Leaked Page Screenshots and Geolocation Data

The Illusion of Privacy: Free VPN for Chrome Caught Spying on Users

The adage "free cheese is only in a mousetrap" appears to hold true once again in the volatile landscape of the IT industry. Security experts from the firm Koi have unearthed a popular VPN extension for the Google Chrome browser, FreeVPN.One, which was covertly capturing screenshots of users' visited pages and collecting their geolocation data. This alarming discovery has sent ripples of concern through the online privacy community, especially considering the extension's widespread adoption.

A Deceptive Trust: Featured Status and Hidden Agendas

What makes this revelation particularly insidious is that FreeVPN.One had garnered an impressive 100,000-plus downloads from the Chrome Web Store. Compounding the betrayal of trust, Google had bestowed upon it a "Featured" badge – a mark typically signifying adherence to recommended security practices. This distinction ironically lent an air of legitimacy to an extension that was, in reality, betraying its users' privacy at an alarming rate.

Unveiling the Espionage: Screenshots and Sensitive Data

A deep dive into the extension's code by Koi researchers revealed a disturbing modus operandi. FreeVPN.One was configured to automatically capture a screenshot precisely 1.1 seconds after any webpage loaded. This snapshot, along with the URL, tab ID, and a unique user identifier, was then transmitted to the developer's server. While the VPN’s official privacy policy mentioned the potential for selective screenshots and page addresses to be sent to secure servers for its "Scan with AI Threat Detection" feature, the reality was far more invasive. Koi's investigation confirmed that FreeVPN.One was indiscriminately taking screenshots of every single page, irrespective of whether the AI threat detection tool was active, leaving unsuspecting users completely unaware of this pervasive surveillance.

Beyond Screenshots: Geolocation and Device Fingerprinting

The privacy violations didn't stop at screen captures. In recent months, FreeVPN.One escalated its data harvesting to include geolocation data and device characteristics. The latest iteration of the extension employed AES-256-GCM encryption with RSA keys, a sophisticated measure that significantly complicates the detection of data exfiltration to the developer's servers. According to Koi's analysis, this aggressive spying campaign appears to have commenced in April, coinciding with updates that dramatically expanded the extension's permissions, granting it unfettered access to every website a user visited. Subsequent updates incrementally broadened these rights, suggesting a deliberate probing by the developer to test the boundaries of user tolerance and detection.

The Unmasking: A Web of Deception

A pivotal point in this unfolding drama was July 17th, when FreeVPN.One began its comprehensive data collection, including screenshots, location tracking, and device information. An subsequent update introduced the aforementioned encryption and a new subdomain for server communication, further obscuring its clandestine activities. When Koi reached out to the sole developer behind the extension, they initially received a denial of accusations. The developer posited that the automatic screenshots were a byproduct of background site verification, purportedly triggered only for suspicious domains. However, Koi researchers meticulously documented screenshots taken from entirely reputable services like Google Sheets and Google Photos, thoroughly debunking this claim. When pressed for verifiable proof of legitimacy – such as a company profile, a GitHub repository, or a LinkedIn presence – the developer abruptly ceased communication. The only remaining digital footprint leads to a rudimentary website built on a free Wix template, offering little to no credible information about the entity behind such invasive practices.

Lingering Threat: A Tarnished Trust

Despite this damning exposé, FreeVPN.One remains accessible on the Chrome Web Store. Its user rating currently stands at a dismal 3.7 stars, with its review section now flooded with indignant comments from users citing Koi's investigation. Even if one were to charitably assume the mass screenshotting was an unintentional glitch, the damage to user trust is profound and likely irreparable. The presence of the "Featured" badge on such a compromised extension is a particularly disquieting reminder of the potential vulnerabilities within even supposedly vetted platforms.