Google and Microsoft recently decided to remove the ModHeader extension, a widely used tool for editing HTTP headers, from their respective browsers. This decision affects approximately 1.6 million users across Chrome and Edge, following the discovery of a concealed data collection mechanism within the extension.
Discovery of the Hidden Collector
Security experts at Stripe OLT, a UK-based firm, identified the dormant collector embedded in the ModHeader extension. The collector was initially inactive due to an empty allow-list, preventing it from gathering any browsing data. Although the collector was present, there is no evidence to suggest it ever collected or transmitted user information.
The extension, which had over 900,000 users on Chrome and around 700,000 on Edge, was pulled from the Chrome Web Store on July 10, following Microsoft’s removal from the Edge store on July 3. The discovery raised concerns about user privacy, despite the tool operating as intended without activating the data collection feature.
Technical Analysis and Security Concerns
Version 7.0.18 of ModHeader contained code that could potentially collect and encrypt browsing domains, storing them locally before transmitting the encrypted data to a remote server. This process would occur daily, with the extension creating a unique device fingerprint. Although the collection mechanism was inactive, its presence in the codebase posed a potential threat to user privacy.
Further investigations by HackIndex and Yunus Aydin confirmed the findings. Despite the collector being dormant, the extension also communicated with another domain, logging request metadata without user consent. These issues highlighted the risks associated with seemingly legitimate extensions harboring hidden capabilities.
Implications and Recommendations for Users
The case of ModHeader underscores the importance of vigilance in the use of browser extensions. Users are advised to remove ModHeader from their browsers to ensure data security. Additionally, any sensitive information that may have been input into the extension, such as API keys or session cookies, should be rotated immediately.
For organizations, it is crucial to block access to related domains like stanfordstudies[.]com and extensions-hub[.]com at the network level. Employing security tools to monitor for suspicious activity related to the extension can further mitigate potential risks.
Conclusion and Future Outlook
This incident highlights the potential for seemingly benign browser extensions to evolve into privacy threats. The ability for a routine update to activate dormant code is a significant concern, emphasizing the need for robust extension review processes. As the digital landscape continues to evolve, vigilance and proactive security measures remain essential to safeguard user data.
