ModHeader Extension Removed for Potential Data Exfiltration

A widely used browser extension, ModHeader, has been removed from the Chrome Web Store after researchers discovered dormant code capable of collecting and transmitting users’ browsing data. ModHeader, a tool designed for modifying HTTP request and response headers, had approximately 1.6 million installations across Chrome and Microsoft Edge.

While the extension’s broad permissions are necessary for its intended functionality, they also allow it to interact with all web traffic and pages a user visits. In version 7.0.18, researchers identified code within the extension’s background service worker that could extract domains from visited URLs, encrypt them using a hardcoded AES-GCM key, and store the encrypted records in IndexedDB.

The data collection mechanism utilized two local data stores: a settings store for installation fingerprints, encryption initialization vectors, and upload timing data; and a temporary store for encrypted domain records and visit counters. The system was configured to retain up to 1,000 distinct domains before initiating an upload to an external server.

Although the data collection function was inactive in the analyzed version due to an empty allow-list, the presence of the complete framework raised concerns. This infrastructure could be activated through a routine extension update without requiring new permissions from users.

Additionally, the extension contained active telemetry functionality linked to extensions-hub.com, reporting installation, update, and uninstallation events. This tracking was separate from the dormant data collection capability but indicated communication with third-party servers.

In response, both Google and Microsoft have removed ModHeader from their respective extension stores. Microsoft took action on July 3, followed by Google’s removal and flagging of the extension as malware.

Organizations are advised to search for the extension ID idgpnmonknjnojddfkpgkljpfnnfcklj, block or monitor communications with stanfordstudies.com and extensions-hub.com, and remove the extension from managed browser environments. Users who utilized ModHeader for API testing should review and rotate sensitive values previously placed in custom headers, including API keys, authorization tokens, and session cookies.

This incident highlights a persistent issue in browser extension security: while Chrome Web Store signatures confirm an extension’s origin, they do not guarantee the absence of malicious code. Users and organizations must remain vigilant, regularly auditing installed extensions and monitoring for unusual behavior to mitigate potential risks.