Extension Details
Context-Aware Verdict
The extension has a substantial user base of 1 million users and a high rating of 4.7 stars from 18.7K reviews, which suggests user satisfaction. However, the developer information is minimal, with only a domain name (vpnly.com) provided, which limits transparency about the company behind the extension.
The extension requests an excessive number of high-risk permissions that go far beyond what's necessary for a VPN service. The management permission is particularly concerning as it allows control over other extensions, which is unnecessary for VPN functionality. The combination of proxy, webRequest, and broad host permissions creates a powerful surveillance capability that could intercept, modify, or redirect all web traffic. The tabs permission adds another layer of potential privacy invasion by allowing access to browsing behavior across all websites.
The broad host permissions covering all URLs means this extension can access sensitive data on banking sites, email platforms, and any other websites you visit. For a VPN service, such extensive access raises red flags about potential data collection and privacy violations.
Given the critical risk level, consider using this extension only in a completely separate Chrome profile isolated from your main browsing activities. Better yet, consider switching to a reputable standalone VPN application that doesn't require browser-level permissions. If you must use browser-based VPN extensions, look for alternatives with more limited, appropriate permissions and greater developer transparency.
Findings
Security Analysis Details
Required Permissions:
- proxy
- storage
- webRequest
- webRequestAuthProvider
- tabs
- management
- offscreen
Host Permissions:
- <all_urls>
- http://*/
- https://*/
Embedded URLs (21 total):
| https://github.com/lancedikson/bowser | https://vpnly.com | |
| https://vpnlyru.com | https://gapi.268222219.xyz | |
| https://s3.amazonaws.com/static.vpnly.com | https://api.268222219.xyz | |
| https://support.mozilla.org/kb/disable-or-remove-add-ons#w_disabling-extensions | https://chromewebstore.google.com/detail/free-vpn-proxy-vpnly/lneaocagcijjdpkcabeanfpdbmapcjjg/review?hl= | |
| https://addons.mozilla.org/ | https://t.me/share/url?url= | |
| https://facebook.com/sharer/sharer.php?u= | https://x.com/intent/tweet?text= | |
| https://reddit.com/submit/?title= | https://vk.com/share.php?title= | |
| http://api.telegra.ph/getPage/fvp-11-30 | http://www.w3.org/2000/svg | |
| https://clients2.google.com/service/update2/crx | https://vuejs.org/error-reference/#runtime- | |
| http://www.w3.org/1998/Math/MathML | http://www.w3.org/1999/xlink | |
| https://s3.hub-vpn.com |
Raw Manifest
{ "name": "__MSG_appName__", "icons": { "16": "icons/icon-16.png", "128": "icons/icon-128.png" }, "action": { "default_icon": { "19": "icons/icon-19.png", "38": "icons/icon-38.png" }, "default_popup": "popup.html", "default_title": "VPN" }, "version": "2.2.0", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_appDescription__", "permissions": [ "proxy", "storage", "webRequest", "webRequestAuthProvider", "tabs", "management", "offscreen" ], "default_locale": "en", "host_permissions": [ "<all_urls>", "http://*/", "https://*/" ], "manifest_version": 3, "externally_connectable": { "matches": [ "*://localhost/*" ] }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "icons/icon-48.png" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.