Full Report
Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The
Analysis Summary
# Incident Report: ModHeader Browser Extension Hidden Data Collector
## Executive Summary
ModHeader, a browser extension with over 1.6 million installs, was removed from the Chrome and Edge web stores after researchers discovered a hidden, dormant browsing-history collector. Although the data exfiltration pipeline was inactive due to an empty allow-list, the extension contained hardcoded encryption keys and scheduled tasks designed to bundle and upload user browsing habits. The discovery highlights the risks associated with the "supply chain" of browser extensions, where trusted tools may be sold or updated with malicious components.
## Incident Details
- **Discovery Date:** July 2026
- **Incident Date:** Ongoing (Removal occurred July 3–10, 2026)
- **Affected Organization:** Users of ModHeader extension (1.6 Million+)
- **Sector:** Technology / General Consumer & Enterprise
- **Geography:** Global (Research led by a UK-based firm)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa 2023 (Initial reports of ad-injection and ownership changes)
- **Vector:** Routine software update via official web stores.
- **Details:** The malicious collector was integrated into the legitimate, signed version of the extension (v7.0.17 and v7.0.18).
### Lateral Movement
- **N/A:** As a browser extension, the "movement" occurred via broad distribution through the Chrome Web Store and Edge Add-ons store to user endpoints.
### Data Exfiltration/Impact
- **Status:** Dormant (Potential only).
- **Details:** The extension was designed to encrypt and store up to 1,000 distinct domains visited by the user, to be uploaded daily to `api.stanfordstudies[.]com`.
### Detection & Response
- **July 3, 2026:** Microsoft removed ModHeader from the Edge Add-ons store.
- **July 10, 2026:** Google removed ModHeader from the Chrome Web Store.
- **Detection:** Discovered through independent security research by Stripe OLT, HackIndex, and Yunus Aydin.
## Attack Methodology
- **Initial Access:** Valid browser extension update mechanism.
- **Persistence:** Extension background script running on browser startup.
- **Defense Evasion:** Minified code to hide logic; data encryption to bypass scanners; "gated" execution via a dormant allow-list to bypass sandbox analysis.
- **Collection:** Browser history domain logging (limited to 1,000 domains).
- **Exfiltration:** Scheduled daily POST requests to an external API (offset per install to avoid traffic spikes).
- **Impact:** Privacy violation and potential exposure of browsing habits.
## Impact Assessment
- **Financial:** No direct financial loss reported; significant potential loss of trust for the developer.
- **Data Breach:** None confirmed (collector was dormant). Potential for 1.6 million users' history to be exposed.
- **Operational:** Minimal; removal of a utility tool used by developers.
- **Reputational:** High for the "ModHeader" brand and secondary impact on the perceived safety of the Chrome/Edge extension ecosystems.
## Indicators of Compromise
- **Network Indicators:**
- `api.stanfordstudies[.]com` (Exfiltration endpoint)
- `extensions-hub[.]com` (Telemetry/Ping endpoint)
- **File Indicators:**
- Extension ID: `idgpnmonknjnojddfkpgkljpfnnfcklj`
- Version: `7.0.17`, `7.0.18`
- **Behavioral Indicators:**
- Unauthorized encryption of browser domain history stored in local storage.
- Pings to external domains during install/uninstall events.
## Response Actions
- **Containment:** Removal of the extension from official stores to prevent new installs.
- **Eradication:** Involuntary disabling or removal of the extension from user browsers by Google/Microsoft.
- **Recovery:** Users must seek alternative header-editing tools (e.g., open-source alternatives).
## Lessons Learned
- **Implicit Trust:** High-reputation extensions can be "weaponized" after acquisition or via developer compromise.
- **Detection Limitations:** Automated store checkers can be easily bypassed by dormant code and minified logic.
- **Metadata Risks:** Even "active" features (like telemetry pings) can provide operators with significant user data before malicious logic is even triggered.
## Recommendations
- **Inventory Management:** Organizations should audit and whitelist specific, required browser extensions.
- **Principle of Least Privilege:** Use extensions only when necessary and check for "Open Source" alternatives where code is more easily audited by the community.
- **Runtime Monitoring:** Utilize endpoint detection and response (EDR) to monitor for unusual outbound connections from browser processes to unknown APIs.