{"id":14282,"date":"2026-07-14T10:03:50","date_gmt":"2026-07-14T10:03:50","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/14\/chrome-extension-used-by-1-6-million-users-silently-included-data-exfiltration-capabilities\/"},"modified":"2026-07-14T10:03:50","modified_gmt":"2026-07-14T10:03:50","slug":"chrome-extension-used-by-1-6-million-users-silently-included-data-exfiltration-capabilities","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/14\/chrome-extension-used-by-1-6-million-users-silently-included-data-exfiltration-capabilities\/","title":{"rendered":"Chrome Extension Used by 1.6 Million Users Silently Included Data Exfiltration Capabilities"},"content":{"rendered":"<p>    Chrome Extension Used by 1.6 Million Users Silently Included Data Exfiltration Capabilities<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A widely used browser extension, ModHeader, has been removed from the <a href=\"https:\/\/cybersecuritynews.com\/131-malicious-extensions-targeting-whatsapp\/\" target=\"_blank\" rel=\"noreferrer noopener\">Chrome Web Store<\/a> after researchers found that its signed release contained a dormant capability to collect, encrypt, and potentially upload users\u2019 browsing-domain data.<\/p>\n<p class=\"wp-block-paragraph\">The extension reportedly had about 1.6 million combined installations across Chrome and Microsoft Edge. ModHeader is a legitimate developer utility for modifying HTTP request and response headers.<\/p>\n<p class=\"wp-block-paragraph\">Its broad permissions are expected for that function. However, they also give it the ability to interact with traffic and pages across all websites a user visits.<\/p>\n<p class=\"wp-block-paragraph\">Researchers examining ModHeader version 7.0.18 identified code for a browsing-history collection pipeline inside the extension\u2019s background service worker.<\/p>\n<p class=\"wp-block-paragraph\">The logic was designed to extract domains from visited URLs, encrypt them with a hardcoded AES-GCM key, and store the encrypted records in IndexedDB.<\/p>\n<h2 id=\"h-chrome-extension-for-users-data-exfiltration\" class=\"wp-block-heading\"><strong>Chrome Extension for Users Data Exfiltration<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The pipeline used two local data stores: a settings store for a persistent installation fingerprint, encryption initialization vector, and upload timing data and a temp store for <a href=\"https:\/\/cybersecuritynews.com\/weaponized-chrome-extension\/\" target=\"_blank\" rel=\"noreferrer noopener\">encrypted domain records<\/a> and visit counters.<\/p>\n<p class=\"wp-block-paragraph\">The implementation was reportedly configured to retain up to 1,000 distinct domains before forcing an upload. The code also included an outbound POST routine pointing to https:\/\/api.stanfordstudies.com\/app\/log.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/stripeolt.com\/knowledge-hub\/threat-research\/chrome-extension-hidden-data-exfiltration-900k-users\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to StripeOlt\u2019s analysis<\/a>, the payload contained encrypted browsing data, device fingerprint information, and browser details.<\/p>\n<p class=\"wp-block-paragraph\">The uploader was built to retry failed requests and erase locally staged domain data after a successful transmission, reducing available forensic evidence.<\/p>\n<p class=\"wp-block-paragraph\">However, researchers stressed an important distinction: the history-collection function in the analyzed build was gated by an empty allow-list.<\/p>\n<p class=\"wp-block-paragraph\">Because no browser identifier was included in that list, the collection and upload path did not execute in that version.<\/p>\n<p class=\"wp-block-paragraph\">The concern is that the complete collection, encryption, storage, scheduling, and transmission framework was already in place and could be enabled via a routine extension update without requesting new permissions.<\/p>\n<p class=\"wp-block-paragraph\">The extension also contained active telemetry functionality tied to extensions-hub.com, reporting install, update, and uninstall events.<\/p>\n<p class=\"wp-block-paragraph\">This tracking is separate from the dormant browsing-history upload capability. However, it demonstrates that the extension was already communicating with third-party infrastructure.<\/p>\n<p class=\"wp-block-paragraph\">Google and Microsoft have reportedly pulled ModHeader from their respective extension stores, with Microsoft\u2019s removal occurring on July 3 and Google subsequently flagging the <a href=\"https:\/\/cybersecuritynews.com\/rilide-malware-as-browser-extension-attacking-chrome-edge-users\/\" target=\"_blank\" rel=\"noreferrer noopener\">extension as malware<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">Organizations should hunt for extension ID idgpnmonknjnojddfkpgkljpfnnfcklj, block or monitor stanfordstudies.com and extensions-hub.com, and remove the extension from managed browser environments.<\/p>\n<p class=\"wp-block-paragraph\">Users who relied on ModHeader for API testing should also review and rotate sensitive values previously placed in custom headers, including API keys, authorization tokens, and session cookies.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/aydinnyunus.github.io\/2026\/07\/12\/modheader-data-exfiltration-stanfordstudies\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Researchers from aydinnyunus.github noted <\/a>that the incident exposes a long-standing browser supply chain issue: while Chrome Web Store signatures confirm an extension\u2019s origin, they do not ensure that every capability introduced in later updates is safe.<\/p>\n<p class=\"wp-block-paragraph\">High-permission extensions should be governed as third-party software, with allowlists, inventory monitoring, and periodic behavioral review.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Indicator of Compromise<\/strong><\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th><strong>Type<\/strong><\/th>\n<th><strong>Indicator<\/strong><\/th>\n<th><strong>Context<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Extension ID<\/td>\n<td><code>idgpnmonknjnojddfkpgkljpfnnfcklj<\/code><\/td>\n<td>ModHeader<\/td>\n<\/tr>\n<tr>\n<td>Version<\/td>\n<td><code>7.0.18<\/code><\/td>\n<td>Affected release<\/td>\n<\/tr>\n<tr>\n<td>Exfiltration URL<\/td>\n<td><code>https:\/\/api.stanfordstudies.com\/app\/log<\/code><\/td>\n<td>Suspected data upload<\/td>\n<\/tr>\n<tr>\n<td>Telemetry Domain<\/td>\n<td><code>extensions-hub.com<\/code><\/td>\n<td>Install\/update tracking<\/td>\n<\/tr>\n<tr>\n<td>Data Collection Domain<\/td>\n<td><code>stanfordstudies.com<\/code><\/td>\n<td>Suspected infrastructure<\/td>\n<\/tr>\n<tr>\n<td>Shared IP<\/td>\n<td><code>3.147.61.167<\/code><\/td>\n<td>Associated AWS IP<\/td>\n<\/tr>\n<tr>\n<td>IndexedDB Stores<\/td>\n<td>\n<code>settings<\/code>, <code>temp<\/code>\n<\/td>\n<td>Local data storage<\/td>\n<\/tr>\n<tr>\n<td>Service Worker<\/td>\n<td><code>assets\/src\/background-94ad634d.js<\/code><\/td>\n<td>Collection logic<\/td>\n<\/tr>\n<tr>\n<td>Static Marker<\/td>\n<td><code>mod\u76d0header<\/code><\/td>\n<td>Hardcoded string<\/td>\n<\/tr>\n<tr>\n<td>Author String<\/td>\n<td><code>modhader@<\/code><\/td>\n<td>Manifest artifact<\/td>\n<\/tr>\n<tr>\n<td>AES-GCM Key<\/td>\n<td><code>aWfU3yG_wksZaQdSnxPJBOId0cAN8KK\/UIlZbli7-bE<\/code><\/td>\n<td>Embedded encryption key<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong><em><strong>\u00a0<\/strong>IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.<\/em><\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/chrome-extension-used-million-users-data-exfiltration\/\">Chrome Extension Used by 1.6 Million Users Silently Included Data Exfiltration Capabilities<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/chrome-extension-used-million-users-data-exfiltration\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chrome Extension Used by 1.6 Million Users Silently Included Data Exfiltration Capabilities A widely used browser extension, ModHeader, has been removed from the Chrome Web Store after researchers found that its signed release contained a dormant capability to collect, encrypt, and potentially upload users\u2019 browsing-domain data. The extension reportedly had about 1.6 million combined installations [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[768,129,63],"tags":[130],"class_list":["post-14282","post","type-post","status-publish","format-standard","hentry","category-chrome","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14282"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14282"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14282\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}