Google and Microsoft have removed the popular ModHeader browser extension from their respective extension stores after cybersecurity researchers discovered hidden code capable of collecting users’ browsing history. The extension, which had approximately 1.6 million installations across Google Chrome and Microsoft Edge, was found to contain a built in browsing data collection mechanism despite continuing to function as a legitimate HTTP header editing tool. According to UK based security firm Stripe OLT, the collector remained inactive because it relied on an internal allow list that was shipped empty, meaning there is currently no evidence that any browsing history was actually gathered or transmitted. Researchers confirmed that the analyzed code came from the official extension available through Google’s Chrome Web Store by validating Google’s own store signature, confirming that the functionality was part of the genuine application rather than a counterfeit version. The Chrome version accounted for around 900,000 users, while third party estimates placed another 700,000 installations on Microsoft Edge. Microsoft removed the Edge listing on July 3, followed by Google removing the Chrome version on July 10.
The researchers found that ModHeader version 7.0.18, identified by extension ID idgpnmonknjnojddfkpgkljpfnnfcklj, contained an additional background component alongside its advertised HTTP header editing features. During its initial execution, the extension generated a unique device fingerprint and loaded a hardcoded encryption key. As users browsed the internet, the dormant system was designed to collect the domain names of visited websites, encrypt the information, and store up to 1,000 unique domains locally. A built in scheduler was configured to package the encrypted data together with the device fingerprint once every 24 hours before sending it to the domain api.stanfordstudies.com and then clearing the locally stored records. Upload times were staggered for each installation to avoid simultaneous network activity across all users. Independent examinations performed by HackIndex on version 7.0.18 and security researcher Yunus Aydin on version 7.0.17 documented the same data collection workflow. Researchers explained that the collection mechanism never became active because every browser failed the allow list verification, which remained empty. However, they noted that enabling the feature would require only a routine extension update without requesting additional permissions or user interaction because the required encryption key, scheduling mechanism, storage functionality, and communication endpoint were already present in the installed software.
Although the browsing history collection system remained inactive, researchers found other components already communicating with external infrastructure. During installation, updates, and removal, the extension contacted a separate domain named extensions hub.com to transmit product, browser, and version information. Another script running on every visited webpage also recorded request metadata in plain text within local storage, confirming that portions of the data collection framework were already operational. Stripe OLT noted that several automated security scanning tools rated ModHeader as low risk, with some assigning security scores as high as 95 out of 100. According to the researchers, the extension’s design made automated detection difficult because collected information was encrypted before storage, preventing scanners from easily identifying readable data, while the inactive upload process produced no suspicious outbound traffic during testing. The malicious functionality was also deeply integrated into an otherwise legitimate codebase using minified code, and the associated domains had not developed a known malicious reputation. Researchers emphasized that a valid extension signature only confirms the origin of the software and does not verify the safety of its internal behavior.
Stripe OLT linked the domains used by the extension to active online infrastructure, reporting that stanfordstudies.com has no affiliation with Stanford University and currently operates as a repurposed domain connected to an OpenSearch backend, while extensions hub.com appears configured for advertising related services. Both application programming interface endpoints resolved to the same Amazon hosted server during the investigation, suggesting a common operator, although researchers said this alone does not provide definitive attribution. They also identified several weak indicators that loosely suggested a Chinese speaking operator but did not attribute the activity to any specific group. Researchers noted that ModHeader previously attracted attention in 2023 following reports of search result advertisement injection and its transition to an advertising supported model, although no claims were made regarding the original developer or ownership changes. The extension’s website continues to state that it does not collect user data, a claim researchers said conflicts with the presence of a built in browsing history collector even if it remained inactive. Security experts recommend that users remove ModHeader from Chrome and Edge if it remains installed, rotate any sensitive credentials such as API keys, bearer tokens, or session cookies that may have been entered into the extension, and verify that browser synchronization or enterprise management policies do not automatically reinstall it. They also advised organizations to monitor and block communications with the identified domains while reviewing network logs for activity associated with the extension ID and related communication endpoints.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.