- Researchers discovered “VPN Go” extensions for Chrome and Firefox secretly harvesting copied text
- Clipboard theft wasn’t there at launch and arrived via a later update.
- Anything copied while the extension was active should now be treated as exposed
Socket security researchers discovered two browser extensions distributed under the brand “VPN Go: Free VPN”, one listed on the Chrome Web Store and the other on Firefox add-ons, to secretly harvest copied text.
Both promote themselves as free VPN tools with working proxy features. Underneath, Socket says, both also run a clipboard stealer that constantly monitors copied text and sends it to infrastructure controlled by the attacker.
According to Socket, clipboard theft was not present when the extensions first appeared. It was added later, via an ordinary-looking update, after the extensions had already built up a trusted user base. This step-by-step approach is exactly what makes this type of threat so difficult to detect and why even a fairly cautious user can find themselves exposed.
For anyone considering a free privacy tool, it’s worth knowing that not all free options behave this way, and the best VPN services are tested precisely so you don’t have to take this kind of gamble. But this case shows how thin the line can be between a useful free extension and a data collection extension.
What Socket’s research discovered
Socket says the first versions analyzed behaved like ordinary proxy extensions, with no confirmed clipboard theft.
On Chrome, this changed with version 1.1, when the extension added a script that reads the clipboard and sends those chunks to a hardcoded address. The Firefox version followed the same path a little later, moving the same flight loop into its background script.
Once active, surveillance is relentless. The Chrome content script checks the clipboard approximately every half-second, according to Socket’s analysis, while the Firefox version polls every 1.5 seconds.
Each newly copied value is tagged with a session ID so that it can be reassembled at the other end and then sent over simple HTTP. All this was happening despite both apps’ privacy policies stating that the tools did not collect, store or share user data or keep activity logs.
TechRadar contacted VPN Go for comment, but both email addresses bounced and both extensions have since been removed from their stores.
Why clipboard thieves are dangerous for users
The reason clipboard theft is so effective is because it abuses something completely routine. People copy and paste sensitive information all day long, and it’s not negligent to do so. Password managers rely on exactly that: copying long, unique passwords across your accounts.
An extension capable of silently reading the clipboard has access to all this information; just wait until you copy the right thing. If you used either of the two extensions in question, you should consider any information you copied during this time as exposed.
Researchers have repeatedly discovered that free VPN extensions do things that their users never agreed to. Recent reports have covered a free Chrome VPN extension caught taking screenshots of every page its users visit, as well as a malicious free VPN extension that resurfaced after being removed, returning in a more evasive form.
The pattern is consistent enough that it’s worth treating any unknown free VPN extension with caution by default. This caution is important: TechRadar’s own survey found that nearly one in four readers use free VPNs even though they know the risks.
How to stay safe
If you want the protection offered by a VPN without rolling the dice, opt for providers with experience and independent testing behind them.
A reputable paid service, or one of the carefully curated best free VPN options, is a much safer bet than an unknown extension promising unlimited access for nothing. As the saying goes, when the product is free, there’s a good chance you are the product.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!




