Uninstall this Chrome extension now: it contains surveillance code
Don’t trust everything you find on Chrome Web Store.

- Google removed the ModHeader Chrome extension after researchers found hidden code that could collect users' browsing data, affecting nearly 900,000 users.
- Researchers found the extension could collect browsing history, create a device identifier, encrypt data, and prepare it for transmission to external servers.
- The researchers did not observe active data theft, but warned a future update could enable it without requiring user permissions.
- Even trusted browser extensions, especially used by developers and enterprises, are risky as they can access sensitive browsing activity and internal information.
The popular Chrome extension ModHeader was removed after researchers discovered hidden code that collects data.
A Chrome extension used by nearly 900,000 users has been removed from the Chrome Web Store after security researchers at Stripe's OLT Security Operations Center (SOC) discovered hidden functionality that collects browsing data and sends it to external servers.
The researchers found that version 7.0.18 of the extension, which was publicly available, contained code designed to collect browsing information, encrypt it, and prepare it for potential exfiltration.
However, despite the presence of malicious components, automated security scanners reportedly rated the extension as low risk. After the responsible disclosure, Google removed the extension from the Chrome Web Store.
Tool trusted by developers
ModHeader is a browser utility widely used by developers, security teams, and QA engineers to modify HTTP request and response headers during testing.
Because the extension has a real purpose, a large user base, and was distributed through the official Chrome Web Store, researchers say it benefited from the trust that users typically place in popular browser tools.
“Browser extensions occupy a uniquely privileged position,” the researchers said in a report.
“A single extension with broad host permissions can read and modify every page you load, watch every request your browser makes, and persist quietly across sessions.” The investigation found that the extension, apart from regular header modification functionality, also had more sketchy features:
- A browsing history collection system
- Device fingerprinting capabilities
- AES-GCM encryption for collected data
- A scheduled upload mechanism
- Telemetry collection linked to external domains
- Website monitoring scripts
The Chrome extension was logging browsing history
According to the researchers, the suspicious functionality was embedded inside the extension's service worker code alongside legitimate ModHeader components.
The system could generate a unique device identifier, collect visited domains, encrypt the information using a hardcoded encryption key, and store the data locally before transmission.
The researchers said the extension was designed to collect domain information from browsing activity and store up to 1,000 unique domains per device.
Also, the system included several features commonly associated with stealthy data collection, including delayed uploads, retry mechanisms, and cleanup after successful transmission.
The extension was not actively exfiltrating user data
While the capabilities that were coded into the ModHeader extension are raising alarms, the researchers said the tool was not actively exfiltrating browsing history.“While we did not observe active browsing-history exfiltration in this build, the underlying collection, storage, scheduling, and communication mechanisms are already present,” they said.
However, the underlying components were present, which is a real red flag, as a future extension update could potentially activate the functionality without requiring new permissions or user approval.
Targeting developers may open doors to internal infrastructure
Users who downloaded the extension may be at heightened risk. The researchers highlight that this extension can observe every page the users load, which is extremely dangerous.
A history of visited domains can reveal sensitive information about enterprise activity. Enterprise users frequently work with URLs containing SAS URIs, password reset links, magic-login links, embedded access tokens, invitation URLs, shared documents, and other credentials in query strings.
Visibility into full navigation events creates the potential for access to sensitive resources without directly compromising an account.
The extension’s target audience is developers, which also raises concerns that potential attackers could use the developers' access to internal infrastructure to initiate breaches.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
If you use this extension, uninstall it now
While Google has removed the extension, users who have already installed it and are using it are recommended to remove it immediately.
The researchers also advise clearing associated browser data and verifying that it has not persisted through browser sync or managed extension policy.
“For security teams, this serves as a reminder that store provenance, digital signatures, and popularity are indicators of origin – not indicators of safety,” they noted. Researchers recommended that security teams in organizations proactively hunt for the indicators of compromise, remove or block the extension ID within managed Chrome environments, and add the associated infrastructure to network and endpoint detection controls.