Is TunnelBear VPN safe to use?

TunnelBear VPN has a risk level of HIGH with an overall risk score of 6.3/10. Our scan detected 42 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does TunnelBear VPN request?

TunnelBear VPN requests the following permissions: proxy, storage, declarativeNetRequest, webRequest, privacy, management, webRequestAuthProvider. It also requests host access to: , https://*.tunnelbear.com/*.

What is TunnelBear VPN's risk score?

TunnelBear VPN has an overall risk score of 6.3/10 (HIGH). Breakdown: Permissions 8.5/10, Code 8.6/10, Combinations 10.0/10, CSP 2.2/10.

ExtSafe

TunnelBear VPNSecurity Analysis

Chromev4.1.0MV3February 18, 2026 at 11:43 AM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

6.3HIGH

6.3 HIGHRaw: 7.9

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 9 permissions including high-risk ones, 35 code findings, 2 dangerous combinations.

Trust Signals(5.5/10)

Users

1.0M

Rating

4.1(33K reviews)

Developer

TunnelBear, LLC

Dangerous Combinations(2)

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALExtension management + dynamic code execution

Extension manages other extensions and executes dynamic code — behavior consistent with malware dropper.

management+eval/Function/dynamic code

Permissions

8.5/10

Code

8.6/10

Combinations

10.0/10

Manifest/CSP

2.2/10

Permissions(9 analyzed)

Code Findings(16 patterns, 35 total)

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(1 finding)

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 1 external pattern(s). Verify these are trusted origins.

External Domains(23)

${e${t*.tunnelbear.com8tiodxhk8a.execute-api.us-east-1.amazonaws.comaddons.mozilla.orgapi.polargrizzly.comapi.tunnelbear.comapp.configcat.comcdn-eu.configcat.comcdn-global.configcat.comconfigcat.comgithub.comhelp.tunnelbear.comleafletjs.commicrosoftedge.microsoft.comraw.github.comstaging.tunnelbear.comstuartk.comstuk.github.iotunnelbear.comvuejs.orgw6wgmwa4bd.execute-api.us-east-1.amazonaws.comwww.tunnelbear.com