A free VPN extension with over 100,000 downloads appears to be recording tons of sensitive user information, including taking screenshots of every visited page.
“If the product is free, you are the product.”
You can apply that thinking to pretty much anything supported by advertising or data collection, including tools like Chrome and Gmail. (And you’re not paying to read these words, are you? Food for thought.) But one VPN tool, claiming to increase user privacy and security, might be snooping on the people it’s claiming to protect.
That’s the claim put forth by Koi Security, a software vendor that also investigates other applications. According to its report, the “FreeVPN.One” virtual private network, available as an extension of the Chrome browser, is peeping on its users in a variety of ways. First and most concerningly, the extension appears to take a screenshot of every single website the user visits, even waiting a second after the page loads to make sure everything is rendered.
This automatic screen recording may be related to the tool’s “Scan with AI Threat Detection” feature. This little button lets you “scan” a website visually and then it sends the screenshot off to FreeVPN.One’s servers, where it gets analyzed for threats. That sounds neat, I suppose… but it’s not really doing anything that couldn’t be done faster and more efficiently just by sending the URL in. And, as Koi reports, the tool appears to have taken a screenshot of every single page the browser visits already, without informing the user.
The extension is also recording the user’s location via IP address, and has access to all of the user’s URLs via elevated permissions. “With the <all_urls> permission, the extension gains the ability to access every site you visit,” says Koi’s report. “This broad reach lets it inject a content script everywhere you go.”
Koi says that FreeVPN.One has massively updated its permissions and alleged spying starting in April of this year, after amassing hundreds of thousands of installations, and has covered its tracks in some of the recent releases with updates meant to obfuscate its activity. Though the developer claims that screenshots are not permanently saved or transmitted, and that user data is never sold, they remain anonymous with no notable business or contact information. The developer stopped responding to Koi’s emails after being asked to provide any sort of evidence of legitimacy.