Hidden Spy for 1.6 Million Users: Popular Browser Extension ModHeader Secretly Collected Browsing History
Google and Microsoft have removed the widely used ModHeader browser extension from their official stores after researchers uncovered a hidden mechanism capable of secretly collecting users' browsing history. The extension, which boasted roughly 1.6 million installations, had maintained a reputation as a legitimate developer tool for years before the malicious functionality was exposed.
ModHeader enables users to modify HTTP headers exchanged between the browser and websites. It is commonly employed by developers and QA specialists to test web applications, inject authorization tokens, and simulate different request parameters without altering source code.
Discovery and Removal Timeline
Researchers at the British company Stripe OLT analyzed the extension's code using signatures from the Chrome Web Store and confirmed that the suspicious module was present in the authentic build, not a counterfeit. Microsoft removed the extension from the Edge store on July 3, while Google removed the Chrome version on July 10.
How the Hidden Collector Worked
Although ModHeader continued to perform its advertised functions, its background code contained a separate data-collection mechanism. Upon launch, the extension generated a device fingerprint, extracted domains from open pages, encrypted the data, and could store up to 1,000 addresses locally. Once per day, the list was scheduled to be sent to api.stanfordstudies[.]com together with the device fingerprint, after which the local copy would be deleted.
The collector remained inactive because it was configured to activate only for browsers listed in an internal array that was supplied empty. No evidence of actual data collection or transmission was found. However, the developer could have enabled the feature at any time through a routine update without requesting additional permissions or user interaction.
Active Telemetry and Data Exposure
Partial telemetry was already operational. On installation, update, and removal, ModHeader sent product, version, and browser information to extensions-hub[.]com. Additionally, a script running on every page saved request metadata in plaintext. Automated security scanners rated the extension as low-risk because the history-collection feature was disabled, data was encrypted, and the code was hidden inside a legitimate project.
Recommendations for Users and Administrators
- Immediately remove ModHeader from Chrome and Edge and verify that it has not been restored via profile synchronization or corporate policy.
- Replace any API keys, access tokens, or session cookies that were entered through the extension.
- Administrators should block the domains stanfordstudies[.]com and extensions-hub[.]com and review logs for connections to these domains or the extension identifier.