A popular browser extension, ModHeader, was recently taken down from the Chrome Web Store following the discovery of hidden data exfiltration capabilities. Researchers identified that the extension’s signed release was equipped with features to potentially collect and encrypt users’ browsing domain data.
Extension’s Widespread Use and Permissions
With approximately 1.6 million installations across Chrome and Microsoft Edge, ModHeader is widely used by developers for adjusting HTTP request and response headers. While its extensive permissions are necessary for its primary function, they also allow it to interact with internet traffic and webpages accessed by users.
In version 7.0.18 of ModHeader, researchers found a code segment capable of collecting browsing history through the extension’s background service worker. This code was designed to extract URLs, encrypt them using a pre-set AES-GCM key, and store these encrypted records in IndexedDB.
Details of the Data Collection Mechanism
The data exfiltration mechanism used two storage solutions: a settings store for installation fingerprints and encryption data, and a temporary store for encrypted domain records and visit counters. It was structured to accumulate up to 1,000 unique domains before initiating an upload. This process also included a POST request routine aimed at transmitting data.
StripeOlt’s analysis revealed that the data payload comprised encrypted browsing data, device fingerprints, and browser specifics. The uploader was programmed to retry failed transmissions and delete locally stored data upon a successful upload, thereby minimizing forensic traces.
Implications and Response
Despite the concerning capabilities, researchers noted that the data collection feature was inactive due to an empty allow-list, meaning it did not execute in the current version. Nonetheless, the infrastructure for collection, encryption, and data transmission was already established and could be activated through a routine update without requesting additional permissions.
Additionally, the extension included telemetry functions connected to extensions-hub.com, which monitored install, update, and uninstall events. This communication with third-party infrastructure heightened concerns about user privacy.
In response, both Google and Microsoft removed ModHeader from their extension stores. Microsoft took action on July 3, and Google soon after labeled the extension as malware. Organizations are advised to search for the extension ID idgpnmonknjnojddfkpgkljpfnnfcklj, monitor relevant domains, and remove the extension from managed environments.
Conclusion and Recommendations
The incident underlines the ongoing risks within the browser supply chain. Although Chrome Web Store signatures validate an extension’s origin, they do not guarantee the safety of new capabilities introduced in updates. High-permission extensions should be managed like third-party software, with allowlists, periodic behavior reviews, and inventory monitoring.
Users who utilized ModHeader for API testing should reassess and rotate sensitive data previously used, such as API keys and session cookies. This event serves as a reminder of the necessity for stringent security measures and regular scrutiny of browser extensions.
