Koidex by Koi Security

Analysis summary

Summary:
FreeVPN.One is a VPN extension for Chrome that provides VPN services and phishing detection capabilities. It is rated Critical due to confirmed spyware activity, which involves sending detailed browser and user information to a remote server.

Key insights:

Intended to provide VPN services and manage proxy settings for enhanced privacy and security.
Rated Critical due to confirmed spyware activity, which collects and transmits detailed user and browser information externally.
Leverages broad host permissions and code execution capabilities, allowing interaction with all websites and potential script injection.
Exceeds its declared purpose by collecting web history, location data, and website content, raising privacy concerns.
Poses significant risk to privacy and organizational security by bypassing network controls and enabling potential data exfiltration.

Findings

Spyware Activity

Flags items that secretly collect user or device information without authorization.

critical

Bypasses Network Control

Flags items that enable users to circumvent organizational network controls, such as firewalls, content filters, or secure gateways. Tools like VPNs or proxy extensions can obscure traffic, bypass security monitoring, and facilitate unauthorized access to restricted content or external services, introducing significant security, compliance, and data exfiltration risks.

high

Broad Host Permissions

Flags items that declare overly broad host access patterns, enabling interaction with all websites. This level of access can be exploited to inject scripts into trusted sites and increases the risk of sensitive data exposure, cross-site surveillance, and credential harvesting.

medium

All findings are available for Enterprise users

Permissions

high

tabs

api

Provides access to privileged information about open tabs including URLs, titles, and loading status, beyond basic tab management.

high

proxy

api

Permits configuration of how the browser connects to the internet, potentially routing traffic through servers controlled by extension developers.

medium

storage

api

Enables persistent data storage for the extension, potentially storing large amounts of user-related information.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

All API calls are available for Enterprise users

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

All secrets are available for Enterprise users

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

All vulnerabilities are available for Enterprise users

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://www.freevpn.one/connect/

page/main.js

https://aitd.one/analyze.php

popup/popup.js

https://aitd.one/?analyse=$

popup/popup.js

All external communications are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

All code insights are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

All dependencies are available for Enterprise users

Licenses & Compliance

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

All licenses & compliance are available for Enterprise users