Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Vulnerability in AsyncAPI npm Packages Exposes Users to Attack
July 14, 2026
Critical FortiSandbox CVE-2023-34981 Exposes VNC Server to Attackers
July 14, 2026
SOC Efficiency: Cut Alert Overload and MTTR by 21 Minutes Per Case
July 14, 2026
Home/CyberSecurity News/Critical Chrome Extension Vulnerability Exposed 1.6M User Passwords
CyberSecurity News

Critical Chrome Extension Vulnerability Exposed 1.6M User Passwords

Key Takeaways The popular ModHeader Chrome and Edge extension, with 1.6 million users, was found to contain dormant code capable of collecting and exfiltrating user browsing data. Although the data...

Sarah simpson
Sarah simpson
July 14, 2026 3 Min Read
4 0

Key Takeaways

  • The popular ModHeader Chrome and Edge extension, with 1.6 million users, was found to contain dormant code capable of collecting and exfiltrating user browsing data.
  • Although the data collection feature was not actively enabled in the analyzed version (7.0.18), the complete framework for exfiltration was present and could be activated remotely.
  • Google and Microsoft have removed ModHeader from their respective extension stores, with Google classifying it as malware.
  • Users are advised to remove the extension, rotate sensitive API keys/tokens, and monitor for associated indicators of compromise.

A widely adopted browser extension, ModHeader, has been pulled from both the Chrome Web Store and Microsoft Edge Add-ons marketplace following the discovery of embedded code designed to collect, encrypt, and potentially transmit users’ browsing activity. This utility, popular among developers for modifying HTTP headers, had amassed approximately 1.6 million installations across Chrome and Microsoft Edge.

Table Of Content

  • Key Takeaways
  • Detailed Analysis of the ModHeader Vulnerability
  • Dormant Data Collection Framework
  • Additional Telemetry and Vendor Response
  • What You Should Do

While ModHeader’s core functionality necessitated broad permissions to interact with web traffic and pages, researchers identified a hidden data exfiltration pipeline within its signed release. This capability, though inactive in the analyzed version, raised significant security concerns due to its completeness and potential for remote activation.

Detailed Analysis of the ModHeader Vulnerability

Dormant Data Collection Framework

Researchers examining ModHeader version 7.0.18 uncovered a browsing-history collection mechanism within the extension’s background service worker. This sophisticated logic was engineered to extract domain names from visited URLs, encrypt them using a hardcoded AES-GCM key, and then store these encrypted records in IndexedDB.

The exfiltration pipeline utilized two local data stores: a ‘settings’ store for maintaining a persistent installation fingerprint, an encryption initialization vector, and upload timing data; and a ‘temp’ store for encrypted domain records and visit counters. The system was configured to retain up to 1,000 unique domains before initiating an upload. The code also included an outbound POST request routine directed to https://api.stanfordstudies.com/app/log.

According to StripeOlt’s analysis, the intended payload would have contained encrypted browsing data, device fingerprint information, and browser specifics. The uploader was designed with retry logic for failed transmissions and would erase local domain data upon successful upload, thereby reducing forensic traceability.

Crucially, the history-collection function in the examined build was gated by an empty allow-list. Since no specific browser identifier was present in this list, the data collection and upload path did not execute in ModHeader version 7.0.18. However, the primary concern remains that the entire framework for collection, encryption, storage, scheduling, and transmission was fully implemented and could be enabled through a routine extension update, bypassing the need for new user permissions.

Additional Telemetry and Vendor Response

Beyond the dormant exfiltration capability, the ModHeader extension also incorporated active telemetry linked to extensions-hub.com. This functionality reported install, update, and uninstall events, demonstrating the extension’s existing communication with third-party infrastructure, separate from the browsing history upload feature.

Both Google and Microsoft have acted swiftly, removing ModHeader from their respective extension stores. Microsoft’s removal occurred on July 3, with Google subsequently flagging the extension as malware. Researchers from aydinnyunus.github noted that this incident highlights a persistent browser supply chain vulnerability: while platform signatures confirm an extension’s origin, they do not guarantee the safety of all capabilities introduced in subsequent updates.

This event underscores the importance of treating high-permission extensions as third-party software, necessitating robust security practices such as allowlists, continuous inventory monitoring, and periodic behavioral reviews.

What You Should Do

  • Remove the Extension: Immediately remove ModHeader (Extension ID: idgpnmonknjnojddfkpgkljpfnnfcklj) from all Chrome and Microsoft Edge browsers.
  • Rotate Sensitive Credentials: If you used ModHeader for API testing or development, review and rotate any sensitive values previously placed in custom headers, including API keys, authorization tokens, and session cookies.
  • Network Monitoring: Organizations should configure firewalls and proxies to block or monitor traffic to stanfordstudies.com and extensions-hub.com.
  • Endpoint Detection: Hunt for the ModHeader extension ID (idgpnmonknjnojddfkpgkljpfnnfcklj) across managed browser environments.
  • Security Awareness: Educate users about the risks associated with browser extensions and the importance of scrutinizing permissions and developer reputation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwareThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Telegram’s t.me Domain Suspended, Breaking Links Worldwide

Next Post

US Treasury Sanctions VPN Service for Aiding Ransomware Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
xAI Grok CLI Exposed Git Repos and .env Secrets on Cloud Storage
July 14, 2026
Salesforce Fixes Critical OAuth Flaw Allowing Persistent Data Access
July 14, 2026
Critical VMware Avi Load Balancer Flaws Let Attackers Bypass Authentication
July 14, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
CyberSecurity News

Top 10 High-Risk Vulnerabilities Of 2025 that Exploited in the Wild

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us