Google and Microsoft have removed ModHeader, a widely used browser extension for editing HTTP request and response headers, from the Chrome Web Store and Edge Add-ons store after security researchers discovered a hidden browsing-history collection mechanism built into the official published version.

ModHeader had accumulated roughly 1.6 million installs across the two browsers, making it a popular tool among developers and testers who use it to modify headers for debugging, API testing, and simulating different client environments.

A Dormant but Present Capability

According to researchers, the collector functionality was present in the extension’s code but inactive at the time of discovery. It relied on an empty allow-list configuration that effectively kept the feature switched off, meaning the code path for gathering browsing history existed but had not been triggered.

No evidence has surfaced indicating that the collector ever actually captured or transmitted browsing domain data from users. The mechanism appears to have been dormant rather than actively exfiltrating data, though its mere presence in a widely trusted extension raised enough concern for both Google and Microsoft to act.

Why Store Removal Matters

Extensions with header-modification permissions typically require broad access to web requests, making them attractive targets for abuse if compromised or if hidden functionality is later activated remotely. An allow-list controlled remotely, even an empty one, introduces the possibility that a future update or server-side change could flip the collector on without requiring a new extension review.

The removal from both official stores cuts off new installations and typically disables or flags the extension for existing users, depending on each platform’s enforcement policies. Organizations that rely on ModHeader for development or QA workflows should verify whether it is still installed in their environments and evaluate whether continued use is appropriate given the findings.

What Security Teams Should Do

  • Audit browser extension inventories for ModHeader across Chrome and Edge deployments
  • Remove or disable the extension where found, pending further vendor guidance
  • Review network logs for any anomalous outbound traffic tied to the extension’s known domains
  • Reassess policies around approving extensions with broad web-request permissions

This incident underscores a recurring risk in the browser extension ecosystem: functionality can be shipped in a dormant state, passing store review while retaining the potential to be activated later with minimal additional code changes.