Google and Microsoft removed ModHeader, a widely used header-editing extension, after researchers found a dormant browsing-history collector hidden inside its official store version. The code could have encrypted page domains and uploaded them to remote servers if an internal allow-list were ever populated, while additional tracking and call-home behavior was also discovered. #ModHeader #StripeOLT #Chrome #Edge
Keypoints
- ModHeader was pulled from Chrome and Edge after a hidden history collector was found.
- The collector was dormant because an empty allow-list kept it from activating.
- The extension still gathered some metadata and pinged external domains on install and page loads.
- Researchers confirmed the code was inside the genuine store-signed extension.
- Defenders were advised to remove the extension, rotate exposed secrets, and block related domains.
Read More: https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html