Forget Windows Recall — This Chrome VPN is the real privacy nightmare, secretly screenshotting every site visited by over 100,000 users and sending them to an anonymous developer

Cybersecurity sleuths at Koi Security recently uncovered perhaps what might be defined as the worst security and privacy nightmare for most users: a popular Google Chrome extension, FreeVPN.One, with over 100,000 installs, has been secretly grabbing screenshots of every website the user visits and sending them to a domain controlled by the software's anonymous developer.

Perhaps more concerning, the extension is touted as "the fastest free VPN for Chrome." The tool also boasts a "Featured" badge, which is an accolade Google awards to software that aligns with its technical best practices while simultaneously maintaining a "high standard" user experience and design.

But as it now seems, FreeVPN.One has been going against this rule and breaching users' privacy for months on end.

Per the report by the cybersecurity experts, the extension silently grabs screenshots a second after each website page you visit loads before transmitting them to a remote server.

The security experts acknowledge that VPN extensions require permissions like proxy and storage to function, FreeVPN.Online is pushing the envelope farther by asking for more permissions that facilitate its deceptive data collection ploy, including tabs and scripting.

This then allows the extension to inject a script into every website you visit, allowing it to grab screenshots. "No user action, no UI hint, the screenshots are taken in the background without you ever knowing," Koi security added. The odd occurrence reportedly started sometime in July via minor updates, which upped the ante by requesting additional permissions.

Per FreeVPN.One's privacy policies, the extension can grab screenshots of your activities while using the internet, but this only happens when the AI Threat Detection Feature is enabled. It essentially grabs a screenshot and related page information, including the URL and page content, which are then transmitted from your browser to the platform's servers for vetting by analysts.

However, the extension's developer indicated that it may "use anonymized usage data" to build the platform's threat intelligence database, regardless of whether you've enable the AI-powered feature or not.

There are some discrepancies with FreeVPN.One's privacy policies, which were updated on July 20, are now missing a critical section about anonymized usage data. "This system is in beta and provided 'as is' without warranties or guarantees of any kind, express or implied, including but not limited to accuracy, reliability, or fitness for a particular purpose," the security firm added.

The update also scrapped information about who operates FreeVPN.One. The header previously indicated that the platform was operated by a company called CMO Ltd. The only way to get a hint of this information is through the email provided by contacting the developer. However, the domain associated with the provided email address redirects to a page for Phoenix Software Solutions with a suspicious URL, making the situation worse.

Speaking to The Register, a FreeVPN.One developer claimed that the extension is "fully compliant with Chrome Web Store policies, and any screenshot functionality is disclosed in our privacy policy."

According to the developer:

"All data collected is encrypted and handled according to standard practices for browser extensions. We are committed to transparency and user privacy and welcome readers to review our documentation for further details."

While the developer claims that the extension is compliant with Google Chrome's Web Store policies, Koi researchers aren't convinced by the claims that the tool only grabs screenshots when encountering a suspicious domain.

They further shared their findings, highlighting the tool grabbing screenshots of trusted domains, including Google. However, the screenshots aren't being used or stored but are briefly analyzed for potential threats.

Despite these concerning findings from Koi security, FreeVPN.One continues to be available for installation as of the time of publication. It is unclear if Google is looking into the report and whether it intends to scrap the extension from its Chrome Web Store, as it violates its policies.

Sounds like Windows Recall all over again

Last year, Microsoft unveiled a handful of crazy next-gen AI features exclusively to its Copilot+ PCs, including Windows Recall, Live Captions, and more. However, Windows Recall grabbed the most attention, potentially becoming the tech giant's most controversial feature.

For context, Windows Recall is an AI-powered feature that acts like your PC's photographic memory and captures snapshots of everything you see and do. The experience runs on-device NPU (neural processing unit) and doesn't rely on the cloud for any of its functionalities for privacy, security, and performance.

The feature has raised major concerns among security experts and general users, who've branded it as "a security nightmare," which has turned the operating system into a hacker's paradise.

While Microsoft has ramped up Windows Recall's security with elaborate measures like making Windows Hello a mandatory requirement and isolating it in a "VBS Enclave" (making it unreadable to third-party apps) and filtering out sensitive information like passwords and credit card details, users are seemingly still keeping it at arm's length.

It will be interesting to see how Google handles the critical security and privacy concerns impacting its Chrome Web Store via FreeVPN.One. Let me know what you think in the comments.