Particle.news

Google and Microsoft Remove ModHeader After Hidden Browsing Collector Found

Security researchers found an encrypted, dormant module inside the official ModHeader build capable of collecting visited domains for daily uploads to an external endpoint, exposing gaps in store review.

Overview

  • Microsoft removed ModHeader from the Edge Add-ons store on July 3, 2026, and Google pulled the Chrome listing on July 10, 2026, after third‑party researchers disclosed the findings.
  • Analysts who inspected versions 7.0.17 and 7.0.18 found a hidden collector that builds a device fingerprint, uses a hardcoded encryption key, stores up to 1,000 distinct domains locally, and schedules once‑daily uploads to api.stanfordstudies[.]com.
  • The collector was gated by an internal allow‑list that shipped empty in the examined builds and researchers found no confirmed evidence that browsing domains were exfiltrated from real users.
  • Teardowns confirmed the collector existed inside the officially signed extension package and also showed active telemetry: install/update/uninstall pings to extensions-hub[.]com and plain‑text logging of request metadata to local storage.
  • Security teams are urged to remove the extension from endpoints, rotate any API keys or tokens stored in it, block the identified domains at DNS or proxy, and increase audits and runtime monitoring for header‑editing extensions because their broad permissions create a large attack surface.