Google and Microsoft have yanked ModHeader from their stores, and the reason should unsettle every developer who trusts a signed extension. Researchers found a hidden browsing-history collector built into the tool’s official build, not some counterfeit clone. Roughly 1.6 million people had it installed across Chrome and Edge.
The finding came from UK security firm Stripe OLT, which checked the code against Google’s own Web Store signature. That detail matters enormously, since it proves the collector shipped inside the genuine, verified extension. As the researchers noted, a store signature proves where a file came from, never what it actually does.
The collector was dormant, kept switched off by an empty allow-list, and no proof has emerged that it ever sent a single domain. Yet the entire pipeline sat fully built, including the endpoint, the encryption key, the scheduler, and the collection logic. So a routine update could have flipped it on, needing no new permissions and no user interaction.
The design reads like a checklist for defeating security scans. The data gets encrypted, so scanners see only ciphertext, while the gated upload means sandboxes watch nothing leave. Malicious code sits minified inside a legitimate codebase, and the endpoints carry no bad reputation to flag. Automated checkers rated ModHeader low risk, some as high as 95 out of 100.
Apparently, the extension pinged an external domain on install, update, and uninstall, while a page script logged real request metadata locally in plain text. Some researchers go further, alleging active daily exfiltration to a server tied to a Chinese-speaking operator, though Stripe OLT’s verified analysis stops short of that.
ModHeader’s own site still publishes an ad plan that says it collects no user data, which is hard to square with a built-in browsing-history collector, even a switched-off one. The developer has not responded publicly to the findings as of publication.
If you use ModHeader, remove it now from both browsers, since store removal never touches machines where it already sits. Header editors need broad access to work, so when that trust breaks, the blast radius is wide.
You can read the whole Stripe OLT report here.
