Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

July 18, 2026

ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More

July 18, 2026

23andMe Faces New Security Mandates in $18m Data Breach Settlement

July 17, 2026
Facebook X (Twitter) Instagram
Saturday, July 18
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found
News

Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

Team-CWDBy Team-CWDJuly 18, 2026No Comments5 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version.

The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain.

The analysis came from Stripe OLT, a UK security firm, which checked the code against Google’s own Web Store signature and confirmed the collector shipped inside the genuine extension, not a counterfeit.

Its review covers the Chrome build and its roughly 900,000 users; third-party trackers put another 700,000 or so on Edge. Microsoft pulled the Edge listing on July 3, and Google removed the Chrome one a week later, on July 10.

Version 7.0.18 (extension ID idgpnmonknjnojddfkpgkljpfnnfcklj) still edits HTTP headers as advertised. The same minified background code also contains a second system. On first run, it builds a device fingerprint and loads a hardcoded encryption key. As you browse, it takes the domain from each page you open, encrypts it, and stores it locally, up to 1000 distinct domains.

Once a day, a scheduler bundles the encrypted list with your fingerprint, posts it to api.stanfordstudies[.]com, and wipes the local copy. The upload time is offset per install, so browsers running it would not all beacon at once if the collector were switched on. Separate teardowns, by HackIndex on version 7.0.18 and researcher Yunus Aydin on 7.0.17, describe the same pipeline.

The collector runs only if your browser matches an entry on an internal allow-list, and that list ships empty. The check fails every time, so the pipeline stops before it collects a single domain. Populating that list is a small change, with no new permissions and no click from you, delivered as a routine update. The hardcoded key, the endpoint URL, the scheduler, and the storage logic are already on the machine.

Not everything was asleep. On install, update, and uninstall, the extension pinged a second domain, extensions-hub[.]com, with the product, version, and browser. And a script that runs on every page had already logged real request metadata to local storage in plain text, so that piece had clearly been running.

Automated checkers had rated ModHeader low risk, some as high as 95 out of 100. Each part of the design can frustrate a different kind of check. The data is encrypted, so a scanner sees ciphertext. The upload is gated off, so a sandbox sees nothing leave.

The malicious code is minified into a legitimate codebase. The endpoints had no established malicious reputation to flag. And a signed, popular extension reads as trusted. A store signature proves where a file came from, not what it does.

Where the domains lead

Stripe OLT tied the domains to real, maintained infrastructure. stanfordstudies[.]com has no link to Stanford; it is a repurposed old domain fronting an OpenSearch back end, while extensions-hub[.]com is set up for advertising.

The two API endpoints resolved to the same Amazon server at the time of analysis, which fits one operator without proving it. A handful of weak signals point loosely toward a Chinese-speaking operator: a Simplified Chinese locale, a “salt” marker written with the character 盐, and a China-origin mail provider. The researchers name no group, and neither do we.

The warning signs came earlier. ModHeader drew complaints for injecting ads into search results in 2023 and reportedly went ad-supported around then. Who took it over is unconfirmed, and the researchers make no claim about the original author.

ModHeader’s own site still publishes an ad plan that says it collects no user data, which is hard to square with a built-in browsing-history collector, even a switched-off one. The developer has not responded publicly to the findings as of publication.

The Hacker News has contacted ModHeader for comment and put further questions to Stripe OLT, and will update this story with any response.

In 2021, Brian Krebs described how popular extensions get quietly bought and turned into data pipes. This resembles that pattern, now with encryption and a gate that keeps scanners from seeing the upload. This year alone, a run of Chrome extensions was caught collecting data under an “anonymous analytics” label, and a separate set impersonated Workday and NetSuite to steal session cookies. Header editors and cookie managers need broad access to work, and when trust breaks, the blast radius is wide.

What to do

If you have ModHeader, remove it from Chrome and Edge; your browser may have disabled it already. Uninstalling clears its stored data, so the thing to double-check is that profile sync or a managed extension policy will not put it back.

If you pasted secrets into it, API keys, bearer tokens, and session cookies, rotate them, since researchers found its header-history feature storing full HTTP headers on disk.

For defenders, block and log stanfordstudies[.]com and extensions-hub[.]com at DNS and proxy, and search logs for the extension ID and any POST to api.stanfordstudies[.]com/app/log. Stripe OLT published ready-to-run KQL hunting queries for Defender and Sentinel.

The takedowns handle this one extension. The design is the part that should worry people: a complete, store-verified collector sat inside a trusted, popular tool, one apparently built to switch on once an ordinary update populated the empty list. The automated scanners rated it low risk, and the next tool built this way may look just as clean.

The practical lesson is narrow: extension review has to watch for dormant code paths that testing never triggers, new call-home endpoints, and a capability a routine update can add after a change of hands.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More
Team-CWD
  • Website

Related Posts

News

ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More

July 18, 2026
News

23andMe Faces New Security Mandates in $18m Data Breach Settlement

July 17, 2026
News

New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

July 17, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Here’s how to avoid a ‘second strike’

April 11, 2026

Beware of Winter Olympics scams and other cyberthreats

February 2, 2026

Drowning in spam or scam emails lately? Here’s why

January 27, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.