Any website could control Urban VPN's Chrome extension with "Toad"
Urban VPN's Chrome extension has a significant security flaw that allows any website to control it without proper authentication. This vulnerability could lead to users being disconnected from the VPN, exposing their real IP addresses, and overriding privacy settings. The issue has been addressed in a recent update, but concerns remain about user data collection practices.
- ▪Urban VPN is the most popular VPN extension on the Chrome Web Store with around 9 million active users.
- ▪Any website could send commands to the Urban VPN extension, allowing for disconnection and rerouting of traffic.
- ▪The vulnerability was due to a lack of origin verification, relying only on two hardcoded strings for authentication.
Opening excerpt (first ~120 words) tap to expand
Urban VPN is the most popular VPN extension on the Chrome Web Store, with approximately 9 million active users across Chrome and Edge1. Until last week, any website could control it. Any site could disconnect the VPN, reroute traffic through Russia, disable every "security" feature, kill your other proxy/VPN extensions and force you into data collection you'd opted out of. TL;DR. Any website could silently send commands to Urban VPN's Chrome extension without origin verification. The only "authentication" was two publicly known strings: the extension ID and the word Toad, hardcoded in the source. We also found the "Opt out of data collection" toggle is inverted in code - when it shows ON, you're opted in. Fixed in 5.12.5 (21 May 2026). CVSS 8.32 | CVE pending.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Amibeingpwned.
Discussion
0 commentsMore from Amibeingpwned
