- Researchers found that “VPN Go” extensions for Chrome and Firefox secretly harvested copied text
- The clipboard theft was not there at launch and arrived through a later update
- Anything copied while the extension was active should now be treated as exposed
Security researchers at Socket found two browser extensions distributed under the “VPN Go: Free VPN” branding, one listed on the Chrome Web Store and one on Firefox Add-ons, to secretly harvest copied text.
Both present themselves as free VPN tools with working proxy features. Underneath, Socket says, both also run a clipboard that constantly watches for copied text and sends it to infrastructure controlled by the attacker.
According to Socket, clipboard theft was not around when the extensions first appeared. It was added later, through a plain-looking update, after the extensions had already built a base of trusting users. The staged approach is exactly what makes this kind of threat so difficult to spot, and why even a fairly cautious user can end up being exposed.
For anyone weighing up a free privacy tool, it’s worth knowing that not all free options behave like this, and the best VPN services are rigorously tested so you don’t have to take this kind of gamble. But this case shows how thin the line can be between a useful free extension and a data collector.
What Socket’s research has revealed
Socket says the earliest builds analyzed behaved like regular proxy extensions with no confirmed clipboard theft.
On Chrome, that changed with version 1.1, when the extension added a script that reads the clipboard and sends those chunks to a hardcoded address. The Firefox version followed the same path a little later, moving the same theft loop into its background script.
Once active, the surveillance is relentless. The Chrome content script checks the clipboard about every half a second, according to Socket’s analysis, while the Firefox build polls every 1.5 seconds.
Each newly copied value is tagged with a session ID so it can be reassembled at the other end and then sent out over plain HTTP. All this happened while the two apps’ privacy policies said the tools did not collect, store or share user data and did not keep activity logs.
TechRadar has reached out to VPN Go for comment, but both email addresses declined, and both extensions have since been pulled from their stores.
Why clipboards are dangerous for users
The reason clipboard theft is so effective is that it abuses something completely routine. People copy and paste sensitive information all day, and it’s not careless to do so. Password managers rely on exactly that: copying long, unique passwords for your accounts.
An extension that can silently read the clipboard has access to all this information; it just has to wait for you to copy the right one. If you’ve used either of the two extensions in question, you should treat any information you’ve copied during that time as exposed.
Researchers have repeatedly found free VPN extensions that do things their users never agreed to. Recent reports have covered a free Chrome VPN extension that was caught taking screenshots of every page its users visited, and a malicious free VPN extension that resurfaced after being removed and returned in a more elusive form.
The pattern is consistent enough that it’s worth treating any unknown free VPN extension with caution by default. That caution is important: TechRadar’s own poll found that nearly 1 in 4 readers use free VPNs despite knowing the risks.
How to stay safe
If you want the protection a VPN offers without rolling the dice, stick with providers with a track record and independent testing behind them.
A reputable paid service, or one of the carefully researched best free VPN options, is a far safer bet than an unknown extension that promises unlimited access for nothing. As they say, when the product is free, there’s a decent chance you’re the product.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!



