Chrome extension, FreeVPN.One, has been found secretly capturing screenshots of users’ browsing sessions and transmitting them to a remote server without consent, according to Koi Security.
The extension, which until recently displayed a verified badge on the Chrome Web Store, still carries a “Featured” label, signaling that it follows recommended practices for Chrome extensions.
A two-stage architecture
The extension employs a sophisticated two-stage architecture to capture the screenshots, noted the blog post.
“First, the content script is automatically injected into every HTTP and HTTPS website due to the broad pattern in the manifest. Upon page load, the content script executes a delayed trigger. This code waits exactly 1.1 seconds after page initialization, then sends an internal message captureViewport to the background service worker requesting screenshot capture. The background service worker receives this message and executes the actual screenshot capture using Chrome’s privileged API chrome.tabs.captureVisibleTab(),” stated Koi Security.
The VPN also offers an “AI Threat Detector” feature, where the VPN claims to analyse the site using AI for the user. But Koi Security claimed once the feature is used, the extension captures a full-page screenshot, then uploads it to aitd[.]one/analyze.php for server-side analysis.
The same is disclosed within the FreeVPN.One’s privacy policy states that it “may upload page screenshots and URLs to their secured servers.” Koi Security claimed that the “UI presents it as a one-time, local scan, but the surveillance is already well underway.”
Responding to Koi Security, FreeVPN.one explained that “the automatic screenshot capture is part of a Background Scanning feature, which should only trigger if a domain appears suspicious. Background Scanning was initially enabled for all users by default, with plans to change it so future update would require explicit consent.”
FreeVPN.One did not immediately respond to a request for comment.
Unmanaged extensions expose enterprises
Such incidents highlight how unmanaged browser extensions can act as covert data exfiltration channels, exposing sensitive corporate information. Enterprises usually deploy licensed, corporate-grade VPNs that are safe and accompanied by monitoring and access controls. But employees often install free VPN extensions for personal use.
“This poses as a major threat to industries with mobile, remote, or hybrid workforces, including finance, healthcare, legal, technology, consulting, and media. For employees who frequently travel or use BYOD, the risks are even higher as they may download free VPNs for personal privacy or to bypass geo-blocks,” said Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting.
Organizations with younger, tech-savvy workforces may also see higher adoption of free VPNs, since employees often experiment with consumer-grade tools outside IT’s visibility, said Manish Rawat, analyst at TechInsights.
Many enterprises also lack formal governance of browser extensions. Jain noted that some mature organizations use endpoint management or secure browser policies, but many rely on default Chrome/Edge settings. This leaves a major blind spot as extensions can be installed without security review, persist after turning malicious, and remain invisible to traditional vulnerability management systems.
Containment measures must be swift and proactive
For chief information security officers, the incident underscores the need for stronger security practices to be in place.
“CISOs should immediately begin discovery by inventorying extensions across fleets, ranking by permissions such as all-site access, scripting, and capture APIs, and recent version changes while hunting for screenshot API usage and suspicious outbound beacons,” said Amit Jaju, senior managing director – India at Ankura Consulting. “Containment efforts must include blocklisting and removing high-risk VPN/coupon/search-helper extensions, forcing sign-outs and credential rotation for exposed users, and clearing browser data.”
Jaju added that governance improvements require enforcing default-deny allowlists via enterprise policies, implementing auto-quarantine on permission escalation, disabling developer mode and sideloading, and restricting user installs for risky categories.
According to experts, enterprises should regularly educate users, stressing the risks associated with free VPNs, and extend policies to contractors and BYOD via managed browsers or isolation.
No Responses