Google Removes Popular Chrome Extension Over Hidden Tracking Code

14.07.2026 4 minutes Author: Newsman
A Chrome extension used by nearly 900,000 users has been removed from the Chrome Web Store after security researchers at Stripe’s Operations Center (SOC) uncovered hidden functionality designed to collect browsing data and transmit it to external servers.

It was discovered that the publicly available version 7.0.18 of the extension contained code designed to collect browsing information, encrypt it, and prepare it for potential exfiltration. Despite the presence of these components, automated security scanners reportedly classified the extension as low risk. Following responsible disclosure, Google removed it from the Chrome Web Store.

ModHeader is a browser extension widely used by developers, cybersecurity professionals, and quality assurance engineers to modify HTTP request and response headers during testing.

Because the extension serves a legitimate purpose, has a large user base, and was distributed through the official Chrome Web Store, researchers say it benefited from the high level of trust users typically place in popular browser tools.

“Browser extensions occupy a uniquely privileged position,” the report states.

“A single extension with broad host permissions can read and modify every page you visit, monitor every request your browser makes, and remain quietly active across browsing sessions.”

During the investigation, researchers found that, in addition to its legitimate header-modification functionality, ModHeader also included several questionable capabilities:

  • a browsing history collection system;

  • device fingerprinting capabilities;

  • AES-GCM encryption for collected data;

  • a delayed upload mechanism;

  • telemetry collection involving external domains;

  • website monitoring scripts.

Chrome Extension Logged Browsing History

According to the researchers, the suspicious functionality was embedded within the extension’s service worker code alongside ModHeader’s legitimate components.

The system was capable of generating a unique device identifier, collecting visited domains, encrypting the information using a hardcoded encryption key, and storing it locally before a potential upload.

Researchers said the extension was designed to collect domain information from browsing activity and store up to 1,000 unique domains per device.

The system also included several features commonly associated with covert data collection, including delayed uploads, retry mechanisms, and automatic cleanup after a successful transmission.

Although the capabilities built into ModHeader are concerning, researchers noted that the extension was not actively stealing users’ browsing history.

“While we did not observe active exfiltration of browsing history in this build, the underlying collection, storage, scheduling, and communication mechanisms are already present,” they said.

However, the presence of these underlying components is a serious warning sign, as a future update could potentially activate this functionality without requiring any additional permissions or user approval.

Developer-Focused Targeting Could Expose Internal Infrastructure

Users who installed the extension may face an elevated level of risk. Researchers warn that it has the ability to monitor every page users visit, making it particularly dangerous.

A user’s browsing history can reveal sensitive information about an organization’s operations. Enterprise users frequently work with URLs containing SAS URIs, password reset links, magic login links, embedded access tokens, invitation URLs, shared documents, and other sensitive credentials passed through query strings.

Visibility into complete browsing activity creates the potential for attackers to gain access to sensitive resources without directly compromising a user’s account.

Because ModHeader is primarily used by developers, researchers also warn that threat actors could potentially abuse developers’ privileged access to internal infrastructure as a stepping stone for broader attacks.

If You Use This Extension, Remove It Immediately

Although Google has already removed ModHeader from the Chrome Web Store, users who previously installed it are strongly advised to uninstall the extension immediately. Researchers also recommend clearing any related browser data and checking whether it persists through Chrome Sync or managed extension policies.

“For security teams, this serves as another reminder that an extension’s presence in an official store, its digital signature, and its popularity indicate provenance—not security.”

Researchers also recommend that organizations proactively look for indicators of compromise, remove or block the extension’s ID in managed Chrome environments, and add the associated infrastructure to network and endpoint detection systems.

Subscribe
Notify of
0 Коментарі
Oldest
Newest Most Voted
Found an error?
If you find an error, take a screenshot and send it to the bot.