Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found
Google and Microsoft removed the popular ModHeader extension (approx. 1.6 million installs) after discovering a dormant, hidden browsing-history collector within the official codebase. Security firm Stripe OLT confirmed the malicious code was present in the genuine, signed extension, utilizing an empty allow-list to keep the data collection pipeline inactive until potentially activated via a routine update. The collector was designed to fingerprint devices, encrypt domain history locally, and ex
Analysis
TL;DR
- Google and Microsoft removed the popular ModHeader extension (approx. 1.6 million installs) after discovering a dormant, hidden browsing-history collector within the official codebase.
- Security firm Stripe OLT confirmed the malicious code was present in the genuine, signed extension, utilizing an empty allow-list to keep the data collection pipeline inactive until potentially activated via a routine update.
- The collector was designed to fingerprint devices, encrypt domain history locally, and exfiltrate data daily to
api.stanfordstudies[.]com, evading detection through encryption and dormant state. - While no evidence suggests data was actually stolen, the incident highlights how automated scanners and sandboxing fail to detect dormant code paths in trusted, high-installation extensions.
Why It Matters
This incident demonstrates a sophisticated supply chain attack vector where trusted, high-reputation extensions serve as carriers for dormant malware, bypassing traditional security controls that rely on reputation scores and static analysis. It underscores the critical vulnerability of browser ecosystems to silent code injection and the limitations of current automated auditing tools in detecting conditional, inactive malicious logic.
Technical Details
- Dormant Collection Pipeline: The extension contained code to build a device fingerprint, load a hardcoded encryption key, and store up to 1,000 visited domains locally. A daily scheduler was programmed to bundle this data and POST it to
api.stanfordstudies[.]com. - Evasion Mechanisms: The collector was gated by an internal allow-list that shipped empty, preventing execution. Data was encrypted to frustrate content scanners, and upload times were offset per installation to avoid network traffic spikes.
- Verification of Authenticity: Stripe OLT verified the code against Google’s Web Store signature, confirming the malicious payload was embedded in the legitimate extension distribution, not a counterfeit version.
- Additional Data Leaks: Beyond the dormant collector, the extension actively pinged
extensions-hub[.]comwith product/version data on install/update/uninstall and logged plain-text HTTP headers to local storage, posing a risk for credential leakage.
Industry Insight
- Audit Limitations: Security teams must recognize that automated scanners and sandbox tests often miss dormant code paths; manual code review or dynamic analysis of update mechanisms is necessary to detect conditional malicious logic.
- Supply Chain Vigilance: Organizations should monitor for changes in ownership or sudden shifts in privacy policies for widely used extensions, as these can precede the introduction of hidden data collection features.
- Incident Response Protocol: Users of such extensions should immediately revoke stored credentials (API keys, tokens) and rotate secrets, assuming that local storage of headers may have exposed sensitive authentication data even if exfiltration did not occur.
Disclaimer: The above content is generated by AI and is for reference only.