Summary
Key Points:
- Google and Microsoft have removed the ModHeader extension after discovering a dormant browsing-history collector embedded within it, which could potentially be activated via a simple update.
- The extension, with 1.6 million installs, has not been proven to collect data yet, but its design allows for easy activation of the collector, posing significant privacy risks to users.
- Users are advised to uninstall ModHeader immediately, rotate any sensitive information stored in it, and block the associated domains at DNS and proxy levels.
Technical Details: The ModHeader extension contained a dormant browsing-history collector that could be activated by populating an internal allow-list. The collector was designed to encrypt and upload browsing data to api.stanfordstudies[.]com.
MITRE ATT&CK Techniques:
- None mentioned
IOCs Mentioned:
- api.stanfordstudies.com
- extensions-hub.com
- Extension ID: idgpnmonknjnojddfkpgkljpfnnfcklj
This incident highlights the risks associated with browser extensions that may contain hidden functionalities capable of compromising user privacy. Security teams should remain vigilant regarding third-party extensions and their potential for malicious behavior.
Join the discussion — sign up to comment, upvote, and save articles.