What Happened
Google and Microsoft have simultaneously pulled ModHeader from the Chrome Web Store and Microsoft Edge Add-ons marketplace after security researchers discovered a hidden browsing-history collector embedded in the extension's official distributed version.
ModHeader is a widely used developer tool that allows users to add, modify, and remove HTTP request and response headers — a legitimate utility commonly used by web developers, QA engineers, and security professionals for testing. With approximately 1.6 million combined installs across Chrome and Edge, it had a substantial trusted install base.
The collector was dormant at the time of discovery. An empty allow-list configuration kept the data collection functionality switched off — but the mechanism to gather and transmit browsing history was present and functional, waiting to be activated.
The Hidden Collector
Researchers examining the extension's code found components designed to:
- Record browsing history — track URLs visited by the user
- Transmit data externally — infrastructure for sending collected history to external endpoints
- Activate remotely — an allow-list mechanism that could be populated via an update or remote configuration, enabling collection without requiring a new store submission
The dormant state is particularly concerning from a security perspective. A dormant collector represents a ticking time bomb: the extension is installed and trusted, the collection code is in place, and activation requires only a configuration change — no new binary review, no store re-submission, no user action.
Why This Matters
The Dormant Threat Model
Most browser extension security reviews focus on what an extension currently does. A dormant collector defeats this model: it passes review in an inactive state, builds a large trusted install base, then activates collection once enough users are present or when the operator decides to monetize.
This is a well-documented pattern in the browser extension ecosystem, sometimes called sleeper monetization. Extensions are built with legitimate functionality, accumulate installs, and then either:
- Introduce data collection gradually through updates
- Include dormant collection code activated remotely
- Are acquired by data brokers who then flip the collection switch
Scale of Exposure
1.6 million users across Chrome and Edge is not a small audience. Even if the collector was never activated, the potential exposure — had it been switched on — represents a significant privacy and enterprise security risk. For organizations where employees use ModHeader for development work, their internal tooling, authenticated session URLs, and internal application paths could have been harvested.
Supply Chain Implications
This incident is the latest in a growing series of browser extension supply chain compromises and abuses. Unlike traditional software supply chain attacks, browser extensions:
- Update silently and automatically in most configurations
- Run with broad permissions (access to all URLs, network requests, etc.)
- Are rarely subject to ongoing security review after initial installation
- Can change ownership without users being notified
Response
Both Google and Microsoft acted to remove the extension from their respective stores following the researcher disclosure. Users who have ModHeader installed should:
- Remove the extension immediately — navigate to
chrome://extensionsoredge://extensionsand uninstall ModHeader - Audit browser extension permissions — review all installed extensions for broad permissions that could enable data collection
- Consider alternatives — several open-source HTTP header modification tools are available with auditable codebases
Enterprise Considerations
For security teams managing browser extensions across enterprise fleets:
- Implement extension allowlisting — only permit pre-approved extensions via group policy or browser management platforms
- Monitor extension updates — changes in permissions after install should trigger review
- Review extension inventory regularly — remove extensions that are no longer needed or have not been actively reviewed
- Prefer extensions with public source code — open-source extensions with active development communities are easier to audit
Broader Context
This incident follows a pattern of high-profile extension removals in recent years. The browser extension ecosystem remains a significant blind spot for many organizations' security programs. Unlike endpoint software subject to rigorous change control, browser extensions often install and update with minimal oversight.
Regulators and platform providers are increasingly scrutinizing this space — Google's Manifest V3 transition aimed in part to reduce extension capabilities, and both Google and Microsoft have expanded their extension review processes — but the ModHeader case demonstrates that hidden or dormant functionality can still slip through.