« All posts

Popular ModHeader Chrome Extension Exfiltrates User Data

Reverse engineering reveals ModHeader, a 1.6M-install Chrome extension, secretly exfiltrates encrypted browsing data via a hidden AES-GCM pipeline.

ModHeader, a Chrome/Edge extension with over 1.6 million installs, has been found silently harvesting every domain users visit. A reverse-engineering analysis of version 7.0.17 shows the data is encrypted with a hardcoded AES-GCM key, stored in IndexedDB, and periodically uploaded to api.stanfordstudies.com at randomized intervals.

The exfiltrated payload includes a persistent device fingerprint, encrypted domain visit counts, browser identity strings, and an upload history log. Uploads trigger after 1,000 unique domain visits or every 24 hours, and local evidence is wiped immediately after a successful transmission. Timing is randomized per install using a SHA-256-derived offset, and a Unicode-salted string is used to evade simple code searches.

For engineers and security teams, this case is a reminder that even widely trusted developer tools can hide full-fledged exfiltration subsystems behind innocuous functionality. It underscores the need for regular permission audits, extension update reviews, and network-level scrutiny even when traffic appears encrypted and opaque.