ModHeader Extension Removed From Chrome and Edge After Researchers Spot Dormant History Collector
By
Mr Bagel
Google and Microsoft have pulled ModHeader, a popular header-editing browser extension with roughly 1.6 million total installs, from the Chrome Web Store and Edge Add-ons store after a dormant browsing-history collector was discovered hidden in its code. BackBox.org reported that the collector was found in the official store version of the extension, though it had been switched off via an empty allow-list. No evidence has emerged that the collector ever gathered or transmitted any user data.
The discovery was made by cybersecurity firm Stripe OLT, according to cysecurity.news. The firm identified "a dormant browsing-history collector embedded in its code," which was kept inactive through a mechanism that never listed any sites to monitor. Both outlets noted that the collector had never activated and that there was no proof of data being retrieved or transmitted.
"The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a…"
Google and Microsoft removed the extension as a precautionary measure, rather than in response to confirmed abuse. The companies have not yet disclosed whether they will reinstate ModHeader if its developer provides a clean version, but the removal highlights the ongoing trust challenges in browser extension ecosystems.
"The collector was switched off via an empty allow-list and never activated, with no evidence that any browsing data was retrieved or transmitted."
With over a million users suddenly left without the extension, the incident serves as a reminder that dormant code can still trigger takedowns if it threatens user privacy, even when no harm is ever done.
The reporting
2 outlets covered this story. Each links to the original.
Baker's Take
Comments
Sign in to join the conversation.
No comments yet. Be the first.