SetupVPN - Lifetime Free VPN
Version 4.0.9 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has strong user adoption metrics with 1 million users and a high 4.7-star rating from 47,400 reviews, suggesting legitimate functionality. SetupVPN Inc appears to be an established company in the VPN space. The high user base and positive ratings indicate the extension generally works as advertised for VPN services.
The permission set is extremely broad and powerful for a VPN extension. The combination of proxy, webRequest, and all_urls permissions creates a perfect storm for potential data interception. The management permission is particularly concerning as it allows control over other extensions, which is unnecessary for VPN functionality. The unsafe WebAssembly execution policy could hide malicious code or enable resource-intensive operations. The tabs permission provides unnecessary access to browsing behavior across all websites.
While VPN extensions legitimately need some elevated permissions to function, this extension's permission scope exceeds what's typically required. The ability to intercept all web traffic, manage other extensions, and execute potentially unsafe code creates significant attack vectors if the extension were compromised or malicious.
Run this extension in a completely separate Chrome profile to isolate it from your main browsing activities and other extensions. Consider using a dedicated VPN application instead of a browser extension for better security isolation. If you must use this extension, regularly audit your other installed extensions since it has management permissions over them.
Findings
Security Analysis Details
Required Permissions:
- proxy
- storage
- webRequest
- webRequestAuthProvider
- notifications
- tabs
- management
- alarms
- declarativeNetRequest
Host Permissions:
- <all_urls>
Content Security Policy:
- extension_pages: script-src 'self' 'wasm-unsafe-eval'; object-src 'self';
Embedded URLs (49 total):
| https://github.com/facebook/regenerator/blob/main/LICENSE | https://user1.setupvpn.com | |
| https://user2.setupvpn.com | https://user3.setupvpn.com | |
| https://user4.setupvpn.com | https://user5.setupvpn.com | |
| https://user6.setupvpn.com | https://user7.setupvpn.com | |
| https://user8.setupvpn.com | https://user9.setupvpn.com | |
| https://user10.setupvpn.com | https://user11.setupvpn.com | |
| https://user12.setupvpn.com | https://user13.setupvpn.com | |
| https://user14.setupvpn.com | https://user15.setupvpn.com | |
| https://redux.js.org/Errors?code= | https://lllm.scanners.fun | |
| https://uabh.talked.run | https://mjgu.figure.run | |
| https://xcxx.pointed.cc | https://uaia.scanners.fun | |
| https://icax.figure.run | https://1.foreground.work | |
| https://1.awakened.work | https://1.6912044.cc | |
| https://1.default2024.uk | https://1.sahi.uk | |
| https://1.area9.uk | https://sxkk.pointed.cc | |
| https://api.keepthisdomain.com | https://1.allnine.uk | |
| https://ksho.uk | https://3245.uk | |
| https://tierbase3.fra1.cdn.digitaloceanspaces.com/tierssv.json | https://tierbase4.s3.amazonaws.com/tierssv.json | |
| https://pub-8029ed10cf4e4db0b3757e6b82ef7a40.r2.dev/tierssv.json | https://ams1.vultrobjects.com/tierupdate2/tierssv.json | |
| https://mirror4.es-mad-1.linodeobjects.com/tierssv.json | https://raw.githubusercontent.com/the7c/update/master/master/ui/data.json | |
| https://bitbucket.org/the7c/update/raw/master/edge/pub/data.json | https://reactjs.org/docs/error-decoder.html?invariant= | |
| http://www.w3.org/1999/xlink | http://www.w3.org/XML/1998/namespace | |
| http://www.w3.org/2000/svg | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xhtml | http://jedwatson.github.io/classnames | |
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "SetupVPN - Lifetime Free VPN", "icons": { "16": "icon16.png", "32": "icon32.png", "48": "icon48.png", "128": "icon128.png" }, "action": { "default_icon": "officon128.png", "default_popup": "popup.html" }, "version": "4.0.9", "background": { "service_worker": "background.bundle.js" }, "short_name": "SetupVPN", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Unblock any blocked website in your country, school or company. It's free and easy to use.", "permissions": [ "proxy", "storage", "webRequest", "webRequestAuthProvider", "notifications", "tabs", "management", "alarms", "declarativeNetRequest" ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "externally_connectable": { "matches": [ "<all_urls>" ] }, "content_security_policy": { "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';" }, "declarative_net_request": { "rule_resources": [ { "id": "ruleset_1", "path": "rules.json", "enabled": true } ] }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "libs/*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.