Summary
- A VPN extension on Chrome called FreeVPN.One has been discovered by a cybersecurity firm to be secretly taking screenshots of user webpages.
- If you have the FreeVPN.One Chrome extension installed, you should delete it immediately, and take any necessary precautions to secure accounts.
- Koi Security, the cybersecurity firm behind the investigation, says the extension has a script that takes the screenshot right after you load a webpage without you knowing.
If there is one thing I prioritize on my PC more than performance, it’s security, and the last thing I want is for any of my personal information to fall into the wrong hands. Generally, if you download apps from trusted providers and regularly use Windows Defender, it’s fairly easy to keep your PC secure. However, there are subtle ways bad actors can access your information without you even realizing it.
One possible method is through Google Chrome extensions. While many Chrome extensions are well-intentioned and pose no threat to your PC, one extension was recently discovered to be a major security risk, despite having both the “Featured” and “Established Publisher” badges from Google, as well as thousands of downloads.
The extension is called FreeVPN.One, and if you have it installed, you should delete it immediately. Why might you be wondering? According to cybersecurity researchers at the Koi Security firm, it’s secretly taking screenshots of your browser.
To uninstall an extension from Chrome, click the Extensions icon (the puzzle piece), then next to the extension’s name, click the three dots and select Remove from Chrome.
People use VPNs for privacy, but this exposed VPN extension does the opposite
FreeVPN.One is found to be secretly taking webpage screenshots without user consent
Typically, when you download and use a VPN, you’re doing so to enhance the security and privacy of your browsing. However, it seems the FreeVPN.One extension on Google Chrome is doing anything but that. While its page on the Chrome Web Store may suggest that it’s just an everyday browser VPN, it’s actually doing much more than just hiding your IP address.
According to the cybersecurity researchers at Koi Security, after an investigation, they found that the FreeVPN.One extension is carrying out a series of “suspicious actions” in the background that you don’t even know about. One of them is secretly taking screenshots of your browser.
This means that if you’re viewing sensitive information in your browser, such as private messages, images, or banking details, FreeVPN.One might have secretly captured a screenshot of it.
Koi Security reports that when you load a webpage with the extension installed, it instantaneously takes a screenshot of your webpage and sends it to a domain registered to the extension’s developer. This means that if you’re viewing sensitive information in your browser, such as private messages, images, or banking details, FreeVPN.One might have secretly captured a screenshot of it. This is done through a script that the extension automatically injects when a webpage loads. “No user action, no UI hint, the screenshots are taken in the background without you ever knowing,” Koi Security explains.
FreeVPN.One also offers a “Scan with AI Threat Detection Tool.” This feature takes a screenshot of a webpage and sends it to a domain for scrutiny by its “vetted analysis partners” to determine if a website is safe. According to FreeVPN.One’s privacy policy, this only occurs when you use the feature. However, the policy does not mention that it is actually capturing a screenshot of every webpage you visit without your consent, as was recently discovered.
The developer asserts that the screenshots are merely a security feature
Koi Security’s findings cast extreme doubt on that
When Koi Security contacted the developer of the FreeVPN Chrome extension, they claimed that the reason screenshots were being automatically taken was part of a “Background Scanning feature” and that it would only happen if a website was considered suspicious. However, Koi Security found that it took screenshots of trusted websites, such as Google Sheets and Google Photos, thereby disproving that claim. The developer claimed the photos were not being stored or used anywhere. However, the developer provided no proof of this being the case, and it’s impossible to know what happens to one of the screenshots after it’s taken. When the developer was asked to prove their legitimacy, such as a LinkedIn profile or GitHub account, they stopped communicating.
If you have the FreeVPN.One extension installed, I recommend you uninstall it immediately and change any passwords for accounts you used while it was active.
According to Koi Security, this development began in April 2025, when the extension was updated to require additional permissions, including the “all_urls” permission, which grants access to every website you visit. As the report explains, a VPN typically requires Proxy and Storage permissions to operate; however, FreeVPN.One requests significantly more permissions than other VPN services require. In July, the VPN was updated again, this time with “AES-256-GCM encryption with RSA,” which makes its actions harder to track.
As of now, FreeVPN.One is still available on the Chrome Web Store and still carries its “Featured” badge and “Established Publisher” badge. The latter indicates that the publisher has a “consistent positive track record with Google services,” according to Google. However, based on Koi Security’s report, it is clear that Google should reevaluate both of these badges. If you have the FreeVPN.One extension installed, I recommend you uninstall it immediately and change any passwords for accounts you used while it was active.
