“If a VPN can see everything you type, what good is it?” That unsettling question resurfaced this week after security researchers at Koi Security revealed that a popular Chrome extension, FreeVPNOne, began taking screenshots of users’ browsing activity and sending those images to a remote server — and, as of the disclosure, remained available in Google’s Chrome Web Store.
This episode exposes a fundamental mismatch between what users expect from privacy tools and what browser extensions can actually do. Many people install VPN or proxy extensions to obscure location, bypass content restrictions, or protect privacy. But extensions run inside the browser with broad privileges: they can capture visible tabs, inspect network requests, and read or modify page content. According to Koi Security, FreeVPNOne recently started exploiting those capabilities to collect page images and exfiltrate them off-device. Researchers flagged the change as a significant privacy risk and described a “shift in behavior” introduced via post-install updates.
FreeVPNOne: what happened and why it matters
Koi Security’s write-up explains how the extension obtained screenshots and where the images were sent. Their analysis of the extension manifest and code suggests the screenshot-taking feature was not in earlier releases and appeared only after an update. That pattern — capability creep — is especially dangerous: a one-time click to install an extension may not reflect its later behavior. Users grant permissions at install time, but those permissions can be repurposed later to harvest sensitive data, including images of bank pages, forms, personal messages, and other content visible in the browser viewport.
FreeVPNOne’s developer has defended the extension, asserting that its actions are “compliant” with declared functionality. Google, meanwhile, had not removed the extension from the Web Store at the time of Koi’s disclosure. The situation raises questions about how platform operators detect and respond to post-install changes that add high-risk capabilities.
Why this matters beyond headlines: browser extensions operate with both explicit and implicit privileges. Developers request permissions such as “access to all sites” or “capture visible tabs,” which users must accept. Those permissions are sometimes necessary for legitimate features — for example, taking screenshots for diagnostics or enabling proxy behavior — but they also open routes for surveillance when misused. The FreeVPNOne case illustrates how a tool marketed as a privacy aid can become a vector for exposure.
Technical, policy, and user perspectives
– From technologists: The incident highlights architectural trade-offs in extension ecosystems. Powerful APIs deliver useful features, but they also increase risk when abused. Manifest V3 was intended to curtail some background privileges, yet APIs for screenshots and broad site access persist. Stronger runtime permissioning, stricter reviews for sensitive APIs, and automated monitoring of updates could reduce abuse.
– From policymakers and platform operators: Removing an extension can disrupt legitimate services and raise due-process concerns, but inaction leaves users vulnerable. Possible policy responses include mandatory, granular disclosures for high-risk capabilities, automated behavioral analysis in app stores, and expedited takedown procedures when exfiltration is detected.
– From users and civil-society advocates: People expect privacy tools to protect them, not to siphon data. Advocates call for clearer consent models, visible indicators when an extension captures content, and simpler tools to audit and revoke permissions. For high-risk users — journalists, dissidents, survivors of abuse — the presence of a screenshot-exfiltrating VPN extension is more than an annoyance; it can be a real, immediate threat.
Google’s stewardship under the microscope
The Chrome Web Store hosts millions of extensions and relies on a mix of automated and manual review. Security firms have repeatedly found malicious or privacy-invasive extensions lingering in the store for months. Platform owners must balance scale against safety. In FreeVPNOne’s case, public disclosure by Koi Security drew attention but did not produce an immediate removal, raising questions about the thresholds and timeliness of platform enforcement.
Defenders of the developer note that screenshots can serve legitimate purposes — diagnostics, customer support, or certain features — and argue that blanket removals could harm benign developers. But permission compliance does not equal informed consent. Many users accept broad permissions without understanding the consequences, and post-install changes can erode that fragile consent over time.
What users can do now
– Prefer system-level VPN clients over browser extensions for serious privacy needs. Apps that run outside the browser are less likely to capture arbitrary webpage content.
– Scrutinize extension permissions and user reviews before installing. Be wary of extensions requesting “access to all sites” unless strictly necessary.
– Remove extensions that suddenly start requesting new, sensitive capabilities.
– Use separate browser profiles or dedicated browsers for sensitive tasks like banking or messaging.
– For organizations, enforce endpoint controls and extension whitelisting to reduce exposure.
Longer-term fixes
Improving extension safety will require coordinated change: platform-level controls to flag and throttle updates that add sensitive capabilities, stronger developer identity verification and accountability, and legal or regulatory incentives for transparency about telemetry and data flows. Independent researchers and bug bounty programs remain vital for surfacing misbehavior at scale.
Trust is the core issue. FreeVPNOne’s reported behavior is a reminder that software intended to shield users can be turned into an instrument of surveillance. If a purported privacy tool can quietly capture your screen, the very tools meant to protect you become new vectors for exposure. FreeVPNOne’s case should prompt users, developers, platforms, and regulators to ask: who watches the watchers?




