Chrome VPN Extension with 100k Installs Screenshots All Sites Users Visit
14 days ago
- #Privacy
- #Cybersecurity
- #ChromeExtensions
- FreeVPN.One, a Chrome extension with over 100,000 installs, is exposed for secretly capturing and exfiltrating screenshots of users' screens to remote servers.
- The extension uses Chrome's privileged API to silently take screenshots, logging sensitive data like personal messages and financial dashboards, and sends it to a developer-controlled server.
- A two-stage architecture involving a content script and a background service worker facilitates the spying behavior, with screenshots taken automatically without user interaction.
- The latest version of the extension employs AES-256-GCM encryption with RSA key wrapping to obfuscate exfiltrated data, making detection harder.
- The developer claims the screenshot functionality is part of a 'security scan,' but researchers found it indiscriminately captures data from safe and commonly used sites.
- The extension's publisher lacks a legitimate company presence, and the developer ceased communication after initial responses to researchers.
- FreeVPN.One remains available on the Chrome Web Store with a verified status, despite the findings.
- Users are advised to change passwords for services accessed via Chrome while the extension was active and to use independently audited VPN providers.