Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
ModHeader Chrome Extension Pulled for Data Exfiltration Risk

ModHeader Chrome Extension Pulled for Data Exfiltration Risk

Posted on July 14, 2026 By CWS

A popular browser extension, ModHeader, was recently taken down from the Chrome Web Store following the discovery of hidden data exfiltration capabilities. Researchers identified that the extension’s signed release was equipped with features to potentially collect and encrypt users’ browsing domain data.

Extension’s Widespread Use and Permissions

With approximately 1.6 million installations across Chrome and Microsoft Edge, ModHeader is widely used by developers for adjusting HTTP request and response headers. While its extensive permissions are necessary for its primary function, they also allow it to interact with internet traffic and webpages accessed by users.

In version 7.0.18 of ModHeader, researchers found a code segment capable of collecting browsing history through the extension’s background service worker. This code was designed to extract URLs, encrypt them using a pre-set AES-GCM key, and store these encrypted records in IndexedDB.

Details of the Data Collection Mechanism

The data exfiltration mechanism used two storage solutions: a settings store for installation fingerprints and encryption data, and a temporary store for encrypted domain records and visit counters. It was structured to accumulate up to 1,000 unique domains before initiating an upload. This process also included a POST request routine aimed at transmitting data.

StripeOlt’s analysis revealed that the data payload comprised encrypted browsing data, device fingerprints, and browser specifics. The uploader was programmed to retry failed transmissions and delete locally stored data upon a successful upload, thereby minimizing forensic traces.

Implications and Response

Despite the concerning capabilities, researchers noted that the data collection feature was inactive due to an empty allow-list, meaning it did not execute in the current version. Nonetheless, the infrastructure for collection, encryption, and data transmission was already established and could be activated through a routine update without requesting additional permissions.

Additionally, the extension included telemetry functions connected to extensions-hub.com, which monitored install, update, and uninstall events. This communication with third-party infrastructure heightened concerns about user privacy.

In response, both Google and Microsoft removed ModHeader from their extension stores. Microsoft took action on July 3, and Google soon after labeled the extension as malware. Organizations are advised to search for the extension ID idgpnmonknjnojddfkpgkljpfnnfcklj, monitor relevant domains, and remove the extension from managed environments.

Conclusion and Recommendations

The incident underlines the ongoing risks within the browser supply chain. Although Chrome Web Store signatures validate an extension’s origin, they do not guarantee the safety of new capabilities introduced in updates. High-permission extensions should be managed like third-party software, with allowlists, periodic behavior reviews, and inventory monitoring.

Users who utilized ModHeader for API testing should reassess and rotate sensitive data previously used, such as API keys and session cookies. This event serves as a reminder of the necessity for stringent security measures and regular scrutiny of browser extensions.

Cyber Security News Tags:browser extensions, browser security, Chrome extension, Cybersecurity, data exfiltration, Encryption, Google Chrome, Malware, Microsoft Edge, ModHeader, privacy concerns, software update, Telemetry, user privacy, web security

Post navigation

Previous Post: U.S. Targets VPN and Cryptor Seller for Ransomware Aid

Related Posts

CISA Alerts on Critical Roundcube Webmail Vulnerabilities CISA Alerts on Critical Roundcube Webmail Vulnerabilities Cyber Security News
DesckVB RAT 2.9: Advanced Threat with Modular Plugins DesckVB RAT 2.9: Advanced Threat with Modular Plugins Cyber Security News
Android Malware Alert: MiningDropper’s Dangerous Impact Android Malware Alert: MiningDropper’s Dangerous Impact Cyber Security News
Multiple Vulnerabilities in Tridium Niagara Framework Multiple Vulnerabilities in Tridium Niagara Framework Cyber Security News
DarkMoon Launches AI-Driven Penetration Testing Platform DarkMoon Launches AI-Driven Penetration Testing Platform Cyber Security News
Anthropic’s Claude Services Experience Major Disruption Anthropic’s Claude Services Experience Major Disruption Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • ModHeader Chrome Extension Pulled for Data Exfiltration Risk
  • U.S. Targets VPN and Cryptor Seller for Ransomware Aid
  • Pentagon Reevaluates Cybersecurity Certification Strategy
  • Microsoft Identifies Three Salesforce Threat Vectors
  • Telegram’s t.me Domain Suspension Disrupts Global Links

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • ModHeader Chrome Extension Pulled for Data Exfiltration Risk
  • U.S. Targets VPN and Cryptor Seller for Ransomware Aid
  • Pentagon Reevaluates Cybersecurity Certification Strategy
  • Microsoft Identifies Three Salesforce Threat Vectors
  • Telegram’s t.me Domain Suspension Disrupts Global Links

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark