Google and Microsoft Remove ModHeader Extension Over Hidden Data Collection
Google and Microsoft have removed the popular ModHeader browser extension from their respective stores after researchers uncovered a hidden browsing-history collector embedded within its official version. The extension, which allows users to edit HTTP headers, had approximately 1.6 million installs across Chrome and Edge.
Key Findings
- Dormant Collector: The extension contained a browsing-history collector that was dormant due to an empty allow-list, preventing it from activating. Researchers found no evidence that it had ever gathered or transmitted browsing data.
- Encrypted Data Storage: The collector was designed to encrypt browsing data and store it locally, with a scheduled daily upload to an external server. The upload was staggered to avoid simultaneous beaconing.
- Device Fingerprinting: Upon first use, the extension created a device fingerprint and loaded a hardcoded encryption key. It stored up to 1,000 encrypted domains locally before uploading them to
api.stanfordstudies[.]com.
Timeline of Removal
- Microsoft: Pulled the extension from the Edge store on July 3.
- Google: Removed the extension from the Chrome Web Store a week later, on July 10.
Technical Details
- Version Analysis: Researchers from Stripe OLT, a UK security firm, analyzed version 7.0.18 of ModHeader and confirmed the presence of the collector in the official extension. Additional teardowns by HackIndex and researcher Yunus Aydin corroborated these findings.
- Data Encryption: The collector encrypted browsing data and stored it locally, making it difficult for automated scanners to detect the malicious behavior.
- Ping Activity: The extension pinged a secondary domain,
extensions-hub[.]com, during install, update, and uninstall processes. It also logged request metadata to local storage in plain text.
Infrastructure and Operator Clues
- Domain Analysis: The domains
stanfordstudies[.]comandextensions-hub[.]comwere linked to maintained infrastructure, with both resolving to the same Amazon server at the time of analysis. - Potential Chinese Connection: Weak signals suggested a Chinese-speaking operator, though no specific group was identified.
History of ModHeader
- Ad Injection: In 2023, ModHeader was criticized for injecting ads into search results. It reportedly transitioned to an ad-supported model around the same time.
- Developer Response: The extension's developer has not publicly responded to the findings, and its website still claims it collects no user data.
Recommendations for Users
- Remove ModHeader: Users are advised to remove the extension from Chrome and Edge, as it may have already been disabled by their browsers.
- Rotate Secrets: Users who pasted sensitive information, such as API keys or session cookies, into the extension should rotate these credentials.
- Defensive Measures: Organizations should block and log the domains
stanfordstudies[.]comandextensions-hub[.]comat the DNS and proxy levels.
Industry Implications
The discovery of this dormant data collector highlights the need for more rigorous extension reviews, particularly for detecting code paths that remain inactive during testing. The incident underscores the broader risks of popular extensions being repurposed for data collection after changing hands.
For more updates, stay tuned to ongoing developments in cybersecurity and browser extension safety.