← Back to blog

ModHeader Browser Extension Removed Over Hidden Data Collector

Google and Microsoft removed ModHeader from their stores after researchers discovered a dormant browsing history collector. Although inactive, the finding raises serious privacy concerns for over 1.6 million users.

TL;DR

  • ModHeader, a browser extension with 1.6M+ installs, was pulled by Google and Microsoft.
  • A hidden browsing history collector was found in the official versions.
  • The data collection feature was dormant due to an empty allow-list.
  • No evidence suggests user data was actually collected or transmitted.
  • Organizations should audit third-party extensions used by employees.

ModHeader, a widely-used browser extension for editing HTTP headers, has been removed from the Chrome Web Store and Microsoft Edge Add-ons marketplace. Security researchers identified a hidden component designed to collect users' browsing histories. While the feature was technically dormant, its presence has sparked concern among privacy advocates and enterprise security teams.

With over 1.6 million installations across both platforms, ModHeader had gained popularity among developers and testers for legitimate purposes. However, the discovery of a concealed tracking mechanism—even if inactive—highlights the risks associated with third-party browser extensions. Organizations relying on such tools should evaluate their exposure and consider stricter vetting processes.

Discovery and Response

  • Security researchers flagged an unexpected data collection module embedded within ModHeader's official builds.
  • The module targeted browsing history but remained inactive due to an empty allow-list configuration.
  • Both Google and Microsoft acted swiftly by removing the extension from their respective marketplaces.
  • The extension’s developer has acknowledged the issue and is working on remediation efforts.

Implications for Enterprise Security

  • Browser extensions can pose significant risks if not properly vetted for data handling practices.
  • Even dormant malicious features indicate potential oversight in the extension review process.
  • Enterprises should maintain inventories of approved browser extensions and regularly audit them.
  • IT teams are advised to enforce policies restricting unauthorized extension installations.

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

ModHeader Browser Extension Removed Over Hidden Data Collector — Agent Breach Blog | Agent Breach