AI Security AI安全 9h ago Updated 2h ago 更新于 2小时前 48

Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found 谷歌和微软下架拥有160万安装的ModHeader,因发现休眠的数据收集器

Google and Microsoft removed the popular ModHeader extension (approx. 1.6 million installs) after discovering a dormant, hidden browsing-history collector within the official codebase. Security firm Stripe OLT confirmed the malicious code was present in the genuine, signed extension, utilizing an empty allow-list to keep the data collection pipeline inactive until potentially activated via a routine update. The collector was designed to fingerprint devices, encrypt domain history locally, and ex Google Chrome 和 Microsoft Edge 下架了拥有约160万安装量的流行扩展 ModHeader,因其官方版本中内置了隐藏的浏览历史收集器。 安全公司 Stripe OLT 确认该恶意代码存在于经过数字签名的正版扩展中,但收集功能因白名单为空而处于休眠状态,无证据表明数据曾被发送。 尽管未实际泄露数据,扩展仍通过硬编码密钥加密设备指纹和域名,并定期尝试上传至伪装成斯坦福研究的服务器,且自动扫描工具未能检测出风险。 此次事件揭示了“休眠式”恶意代码的威胁,即通过常规更新激活潜在的数据窃取管道,挑战了现有的应用商店审核机制。

75
Hot 热度
65
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Google and Microsoft removed the popular ModHeader extension (approx. 1.6 million installs) after discovering a dormant, hidden browsing-history collector within the official codebase.
  • Security firm Stripe OLT confirmed the malicious code was present in the genuine, signed extension, utilizing an empty allow-list to keep the data collection pipeline inactive until potentially activated via a routine update.
  • The collector was designed to fingerprint devices, encrypt domain history locally, and exfiltrate data daily to api.stanfordstudies[.]com, evading detection through encryption and dormant state.
  • While no evidence suggests data was actually stolen, the incident highlights how automated scanners and sandboxing fail to detect dormant code paths in trusted, high-installation extensions.

Why It Matters

This incident demonstrates a sophisticated supply chain attack vector where trusted, high-reputation extensions serve as carriers for dormant malware, bypassing traditional security controls that rely on reputation scores and static analysis. It underscores the critical vulnerability of browser ecosystems to silent code injection and the limitations of current automated auditing tools in detecting conditional, inactive malicious logic.

Technical Details

  • Dormant Collection Pipeline: The extension contained code to build a device fingerprint, load a hardcoded encryption key, and store up to 1,000 visited domains locally. A daily scheduler was programmed to bundle this data and POST it to api.stanfordstudies[.]com.
  • Evasion Mechanisms: The collector was gated by an internal allow-list that shipped empty, preventing execution. Data was encrypted to frustrate content scanners, and upload times were offset per installation to avoid network traffic spikes.
  • Verification of Authenticity: Stripe OLT verified the code against Google’s Web Store signature, confirming the malicious payload was embedded in the legitimate extension distribution, not a counterfeit version.
  • Additional Data Leaks: Beyond the dormant collector, the extension actively pinged extensions-hub[.]com with product/version data on install/update/uninstall and logged plain-text HTTP headers to local storage, posing a risk for credential leakage.

Industry Insight

  • Audit Limitations: Security teams must recognize that automated scanners and sandbox tests often miss dormant code paths; manual code review or dynamic analysis of update mechanisms is necessary to detect conditional malicious logic.
  • Supply Chain Vigilance: Organizations should monitor for changes in ownership or sudden shifts in privacy policies for widely used extensions, as these can precede the introduction of hidden data collection features.
  • Incident Response Protocol: Users of such extensions should immediately revoke stored credentials (API keys, tokens) and rotate secrets, assuming that local storage of headers may have exposed sensitive authentication data even if exfiltration did not occur.

TL;DR

  • Google Chrome 和 Microsoft Edge 下架了拥有约160万安装量的流行扩展 ModHeader,因其官方版本中内置了隐藏的浏览历史收集器。
  • 安全公司 Stripe OLT 确认该恶意代码存在于经过数字签名的正版扩展中,但收集功能因白名单为空而处于休眠状态,无证据表明数据曾被发送。
  • 尽管未实际泄露数据,扩展仍通过硬编码密钥加密设备指纹和域名,并定期尝试上传至伪装成斯坦福研究的服务器,且自动扫描工具未能检测出风险。
  • 此次事件揭示了“休眠式”恶意代码的威胁,即通过常规更新激活潜在的数据窃取管道,挑战了现有的应用商店审核机制。

为什么值得看

这篇文章揭示了即使经过官方商店签名验证的高信任度扩展也可能隐藏恶意逻辑,打破了“签名即安全”的固有认知。它展示了攻击者如何利用休眠代码和加密手段规避自动化安全扫描,为浏览器扩展生态的安全审计提供了重要的反面教材。

技术解析

  • 隐蔽架构与休眠机制:ModHeader v7.0.18 在正常的 HTTP 头编辑功能之外,嵌入了第二套系统。首次运行时构建设备指纹并加载硬编码加密密钥,记录访问过的域名(最多1000个)。数据每日打包加密后发送至 api.stanfordstudies[.]com,随后清除本地副本。触发条件依赖于内部白名单,而该白名单在发布时为空,导致收集器始终处于休眠状态。
  • 混淆与规避检测:恶意代码被最小化并混入合法代码库中。数据在传输前进行加密,使得静态扫描器只能看到密文;由于上传网关未激活,沙箱测试中也没有网络流量发出。此外,扩展在每次安装、更新和卸载时还会向 extensions-hub[.]com 发送产品、版本和浏览器信息,并在本地明文存储请求元数据。
  • 基础设施溯源stanfordstudies[.]com 并非斯坦福大学所有,而是重用的旧域名,前端为 OpenSearch 后端;extensions-hub[.]com 用于广告。两个 API 端点在分析时解析到同一台 Amazon 服务器。部分弱信号(如简体中文区域设置、字符“盐”作为 Salt 标记、中国来源邮箱)暗示操作者可能为中国 speaking 群体,但未确证具体组织。
  • 审核漏洞:自动化检查工具曾给 ModHeader 打出低风险评分(高达95/100)。这是因为恶意代码隐藏在合法代码中,端点无恶意声誉记录,且拥有可信的商店签名。签名仅证明文件来源,无法保证行为安全。

行业启示

  • 重新评估扩展信任模型:应用商店的数字签名只能验证文件的完整性及发布者身份,不能验证代码行为的正当性。安全团队和用户需意识到,即使是高下载量、高评分的官方扩展,也可能在后续更新中植入恶意逻辑。
  • 加强动态行为监控:传统的静态扫描和沙箱测试难以检测休眠代码或加密后的隐蔽通信。防御策略应转向更严格的网络流量异常检测、DNS 日志监控以及对已知恶意域名(如伪装成学术机构的域名)的封锁。
  • 警惕“休眠式”供应链攻击:攻击者倾向于在扩展中预埋完整的数据窃取管道,仅在特定条件满足(如白名单填充)时才激活。这种策略利用了常规更新机制,使得恶意代码在潜伏期间不被发现。开发者应定期审查第三方依赖和代码变更,用户应及时移除不再使用或来源不明的扩展。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究