Analysis: Popular Chrome Extension ModHeader Exfiltrates User Data
4 hours ago
- #Data Exfiltration
- #Browser Extension
- #Privacy Invasion
- ModHeader is a Chrome extension with over 1.6 million installs that exfiltrates browsing data to api.stanfordstudies.com.
- The extension uses AES-GCM encryption, IndexedDB storage, randomized upload timing, and evidence deletion after data exfiltration.
- It collects all visited domains, a unique device fingerprint, and browser identity, uploading after 1,000 domains or 24 hours.
- Stealth mechanisms include encrypted payloads, self-destruction of local data, and silent error handling to evade detection.
- The extension also reports install, update, and uninstall events to extensions-hub.com for additional tracking.
- Browser extensions are a security blind spot, allowing such exfiltration due to broad permissions and limited review processes.
- Users are advised to remove ModHeader and use open-source alternatives, with a report filed to the Chrome Web Store.