“Researchers Warn of a Shift in Behavior, but Google Remains Silent”

A recent report by Koi Security has shed light on a concerning trend in the world of Chrome extensions. FreeVPN.One, a popular VPN extension with over 100,000 verified installations, has been found to be silently capturing screenshots of users’ page activity and transmitting them to a remote server without their knowledge. The behavior, which was introduced in July, has raised serious security concerns and has left users wondering how such a trusted extension could fall victim to malicious activity.

According to Koi’s research, the extension is capturing screenshots a little over a second after each page load and transmitting them to a remote server, initially in the clear and later in a later update, obfuscated with encryption. The behavior was introduced after laying the groundwork with smaller updates that requested additional permissions to access all sites and inject custom scripts. This shift in behavior has raised questions about the extension’s true purpose and whether it is being used for malicious activities.

The developer of FreeVPN.one has defended the extension, stating that it is fully compliant with Chrome Web Store policies and that any screenshot functionality is disclosed in their privacy policy. However, Koi’s researchers have refuted this, citing evidence of activation on well-trusted domains, including Google’s own, and that screenshots are not being stored or used, but only analyzed briefly for potential threats. This raises concerns about the accuracy of the developer’s claims and whether the extension is truly transparent about its actions.

The incident has highlighted serious gaps in security across major browser marketplaces, despite the presence of automated scans, human reviews, and monitoring for malicious code or behavior changes. The Chrome Web Store’s terms of service also include a get-out clause that states Google is not responsible for any product that originates from a source other than Google. This lack of accountability has raised questions about the effectiveness of Google’s security measures and whether they are doing enough to protect users.

Google has yet to take down the extension, and it remains available for download at the time of publication. The incident serves as a reminder of the importance of vigilance when it comes to online security and the need for browser marketplaces to take a more proactive approach to monitoring and regulating extensions. It also highlights the need for users to be more aware of the extensions they install and to regularly review their permissions and settings.

In a statement, Lotan Sery, a security researcher at Koi, noted that “FreeVPN.One shows how a privacy branding can be flipped into a trap. They’ve earned verified status and even featured placement on the Chrome Web Store. And while Chrome claims to perform security checks on new versions of extensions, using automated scans, human reviews, and monitoring for malicious code or behavior changes — the reality is that these safeguards failed.”

The incident has sparked a wider conversation about the importance of online security and the need for greater transparency and accountability in the world of VPNs. As the UK’s Online Safety Act continues to shape the online landscape, it remains to be seen how browser marketplaces will respond to such incidents and prioritize the security and privacy of their users.

Key Findings:

FreeVPN.One, a popular Chrome extension, has been found to be silently capturing screenshots of users’ page activity and transmitting them to a remote server without their knowledge.

The behavior was introduced in July and has raised serious security concerns.

The developer of the extension has defended its actions, stating that it is fully compliant with Chrome Web Store policies.

Koi’s researchers have refuted this, citing evidence of activation on well-trusted domains and that screenshots are not being stored or used, but only analyzed briefly for potential threats.

The incident highlights serious gaps in security across major browser marketplaces and raises questions about the effectiveness of Google’s security measures.

Recommendations:

Users should be more aware of the extensions they install and regularly review their permissions and settings.

Browser marketplaces should take a more proactive approach to monitoring and regulating extensions.

Developers should prioritize transparency and accountability in their actions and disclose any data collection or transmission practices.

Google should take a stronger stance on security and accountability in its Chrome Web Store policies and enforcement.