Security Vulnerability Unveiled in Popular Chrome Extension ModHeader
A significant security vulnerability has been identified in the popular Chrome extension, ModHeader version 7.0.187.0.187.0.18. This extension, widely used for HTTP header modification, was found to harbor dormant code capable of capturing and exfiltrating browsing history data. According to research published on July 13, 2026, this alarming issue has impacted an estimated 900,000 users.
In response to this critical revelation, Google acted swiftly to remove the implicated extension from the Chrome Web Store on July 10. Following a responsible disclosure protocol, organizations employing the extension are now urged to identify existing installations across both managed and unmanaged endpoints. Furthermore, they should take immediate action to remove the extension and investigate any potential historical links to the associated malicious infrastructure.
The analysis of ModHeader was conducted by the Stripe OLT Security Operations Center (SOC), which examined the publicly available version on July 6. During the investigation, it was discovered that while the extension functioned correctly as a header-editing tool, it contained a sophisticated surveillance architecture hidden within its minified service worker code.
Significantly, this code comprised several concerning features, including device fingerprinting capabilities, an AES-GCM encrypted domain-collection mechanism, IndexedDB staging, and a daily, jittered upload routine specifically targeting certain URLs. Researchers identified two primary endpoints:
The browsing history collector was designed to extract domains from visited URLs, encrypt them utilizing a hardcoded AES-GCM key, and store the data in an IndexedDB database labeled "temp." Additionally, a separate settings store retained critical information such as device fingerprints, initialization vectors, and scheduling data. A code snippet illustrating the functionality read as follows:
function onVisit(url) {
const domain = extractDomain(url);
const encrypted = aesGcmEncrypt(hardcodedKey, domain, aesIv);
temp[encrypted] = (temp[encrypted] || 0) + 1;
}
The researcher’s review confirmed that this code limited storage to 1,000 distinct domains. The design aimed to package encrypted browsing activity along with a device fingerprint and browser identifier before transmitting the data to the remote endpoint.
Despite the serious implications of the embedded surveillance code, it is important to note that version 7.0.187.0.187.0.18 did not actively collect or transmit browsing history due to the absence of entries in an empty allow-list that controlled the data collection trigger. The relevant code snippet demonstrated this safeguard:
if (allowList.indexOf(currentBrowser()) === -1) {
return;
}
collectAndMaybeUpload(tab.url);
With this empty allow-list, the tab-update handler exited without executing any URL collection. Nevertheless, the researchers indicated that the built-in encryption key, storage routines, upload scheduler, endpoint, retry logic, and cleanup functions were already present in the signed release. This poses serious concerns, as future updates to the extension could easily enable data collection by populating the allow-list without requiring any additional permissions or user prompts. Alarmingly, the extension already had comprehensive access validated through permissions for <all_urls>, web requests, storage, alarms, and content-script injection.
Meanwhile, active telemetry within the code was designed to send notifications regarding installs, updates, and uninstall events to extensions-hub.com. This was not the only concern; researchers also discovered that local plaintext request metadata from regular browsing sessions had been stored in IndexedDB, suggesting that monitoring mechanisms had indeed been executed.
The investigation clarified that the malicious code had been propagated through the official Chrome Web Store, dismissing the notion that it was a repackaged or unauthorized clone. Verification through Chrome’s _metadata/verified_contents.json indicated the official extension ID (idgpnmonknjnojddfkpgkljpfnnfcklj), confirming the presence of version 7.0.187.0.187.0.18, alongside the signatures from both the publisher and the Google Web Store.
To further validate the security integrity of the code, researchers recomputed content verification hashes for the service worker and content script, confirming alignment with Google-signed tree hashes. This validation substantiated that the surveillance-oriented code was indeed incorporated in the bundled extension distributed through the store.
Given the implications of this vulnerability, organizations and users are encouraged to take immediate action to safeguard their data. The investigation has outlined several Indicators of Compromise (IoCs) pertaining to the extension, such as its unique Extension ID, telemetry URLs, and local artifact storage.
In conclusion, the discovery of this serious vulnerability in ModHeader serves as a poignant reminder of the potential risks associated with browser extensions. Users are urged to remain vigilant and proactive in managing their browser extensions, ensuring their data remains secure in an increasingly digitized world.

