A popular Chrome extension used by around 900,000 people has been removed from the Chrome Web Store after researchers found code that could have collected and uploaded users’ browsing data.
The extension, called ModHeader, is mainly used by developers to modify HTTP headers while testing websites. It has been around for years, so it is the sort of tool many people would install without giving it a second thought.
But a new analysis from cybersecurity firm Stripe OLT found something worrying in ModHeader version 7.0.18. Hidden among the regular extension code was a system designed to record the domains a person visits, encrypt that data, and send it to an external server.
The concerning part is that it apparently was not collecting and uploading browsing data at the time the researchers examined it. There was an empty list in the code that effectively kept the feature switched off. Still, the rest of the setup was already there, including a unique device identifier, encryption key, storage system, upload schedule, and a server ready to receive the data.
As Stripe OLT put it, “the encryption key, the endpoint, the scheduler, the storage, and the collection logic are all present in the analysed build.”
In simple terms, ModHeader had everything it needed to watch which sites users visited. It just needed a future update to enable it.
That is especially concerning because browser extensions update in the background. Users would not necessarily see a new permission prompt or any obvious warning if the developer changed how the extension worked. This is also why it is worth keeping an eye on the extensions installed in your browser, even if they came from an official store.
According to the report, the code was built to send encrypted browsing-domain data to api.stanfordstudies.com. It also included tracking for installation, updates, and removal through another domain called extensions-hub.com.
The researchers said they verified that the suspicious code was part of the Chrome Web Store version, rather than a fake copy pretending to be ModHeader. Google has since removed the listing from the store.
A separate write-up from HackIndex reached a similar conclusion after reviewing the extension files. It found that the browsing-data collector was dormant in the analysed build, but noted that the extension also stored a large amount of browsing-related header data locally. HackIndex’s analysis said the key issue was not necessarily what the extension was sending at that moment, but what it was already capable of doing.
If you still have ModHeader installed, it is a good idea to remove it from Chrome or Edge and clear its extension data.
The post 900,000 people used this Chrome extension — it was one update away from spying on them appeared first on PiunikaWeb.