ModHeader Pulled From Chrome and Edge After Hidden Data Collector Found
Google and Microsoft have removed ModHeader, a popular HTTP header-editing browser extension with roughly 1.6 million combined installs, after security researchers identified a dormant browsing-history collector embedded inside the officially distributed code. The discovery, made by UK-based firm Stripe OLT, confirmed the collector shipped within the genuine signed package rather than a tampered copy. Microsoft pulled the Edge listing on July 3, followed by Google removing the Chrome extension on July 10. The Chrome version, identified by extension ID idgpnmonknjnojddfkpgkljpfnnfcklj, served around 900,000 users, while third-party trackers estimated an additional 700,000 installs on Edge.
A teardown of version 7.0.18 revealed a two-stage pipeline buried inside minified background code. On first run, the extension builds a device fingerprint and loads a hardcoded encryption key. As users browse, the script extracts the domain from each visited page, encrypts it, and stores it locally up to a cap of 1,000 distinct domains. A daily scheduler then bundles the encrypted list with the device fingerprint, transmits it to api.stanfordstudies[.]com, and wipes the local copy. The beacon time is offset per installation to avoid synchronized outbound traffic. Stripe OLT independently corroborated these findings alongside separate analyses from HackIndex on version 7.0.18 and researcher Yunus Aydin on 7.0.17, both describing the same architecture. Researchers can validate suspicious domain infrastructure using a WHOIS lookup to trace registration details and ownership history.
The collector is gated behind an internal allow-list that currently ships empty, causing the activation check to fail every time and preventing any data from being exfiltrated. However, the encryption key, endpoint URL, scheduler, and storage logic are already loaded on every installed machine, meaning a routine silent update could activate the pipeline with no new permissions or user interaction. The design deliberately evades automated scanners: payload data is encrypted, the upload is disabled in default state, the malicious code is minified into a legitimate codebase, and the endpoints carry no prior malicious reputation. Some automated risk-rating tools scored ModHeader as low risk, with confidence figures as high as 95 out of 100. Because the extension was signed and widely installed, browsers treated it as trusted. Security professionals concerned about exposure can run a browser fingerprint test to evaluate how uniquely identifiable their current browsing session is.
Not all components were inactive. On install, update, and uninstall events, the extension pinged a separate domain, extensions-hub[.]com, transmitting product name, version number, and browser identifier. Additionally, a content script running on every page was already logging real request metadata to local storage in plaintext, confirming that telemetry functionality had been actively operating. Stripe OLT tied stanfordstudies[.]com to live, maintained infrastructure with no affiliation to Stanford University, underscoring how attackers leverage credible-sounding domains. Users who previously installed ModHeader should audit their extensions immediately, review stored browser data, and consider running a privacy checkup to identify other background exposures on their system.