ModHeader Extension Yanked After Dormant Data Collector Found
Google and Microsoft have both pulled the popular ModHeader extension pulled from their official stores. The header-editing tool, which had roughly 1.6 million installs across Google Chrome and Microsoft Edge, was removed after security researchers uncovered a hidden browsing-history collector buried in its code.
The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. But its mere presence was enough to trigger a takedown from both companies.
What ModHeader Did — and What Got Hidden Inside
ModHeader let developers and power users modify HTTP request headers on the fly. It was a niche but essential tool for testing web apps, debugging APIs, and spoofing headers for development work. Many users installed it years ago and never thought twice about it.
Then researchers at BleepingComputer took a closer look at the extension’s code. They found a function that could collect domains from a user’s browsing history and send them to a remote server. The collector was gated by an allow-list — a list of domains it would actually track. That list was empty.
Empty or not, the code was there. And once you ship code that can exfiltrate data, the damage to trust is done.
1.6 Million Installs — But No Evidence of Data Theft
Here’s the tricky part. The collector was never active. No domains were ever sent. The extension’s developer likely inserted the code as a placeholder for future functionality — or maybe as a test that got accidentally pushed to the store. Either way, it violated each store’s policies against unauthorized data collection.
Google’s Chrome Web Store policy is clear: extensions must only request permissions they actually use. Code that could collect browsing history, even if dormant, is a red flag. Microsoft’s Microsoft Edge Add-ons policy is similarly strict.
Both companies acted fast. The extension was removed within days of the report. Users who already have ModHeader installed can still use it, but it won’t receive updates. And it won’t be available for new installs.
What This Means for Extension Developers
This incident is a sharp reminder: if you include code that can collect user data — even if it’s switched off — you’re playing with fire. Store reviewers are getting better at spotting suspicious patterns. And researchers are constantly scanning popular extensions for hidden functionality.
For users, the lesson is simpler. ModHeader extension pulled from stores doesn’t mean it’s safe to keep using. If you have it installed, consider whether you trust the developer to never flip that switch. Many users are already looking for alternatives like Requestly or Header Editor.
- Check your installed extensions regularly.
- Remove anything you don’t actively use.
- Stick to well-known developers with transparent privacy policies.
Alternatives to ModHeader
If you relied on ModHeader for development work, you’re not stranded. Several alternatives offer similar header-editing capabilities:
- Requestly — open-source, actively maintained, with a clear privacy policy.
- Header Editor — lightweight and focused on modifying request and response headers.
- Modify Headers — another solid option for HTTP header manipulation.
Each of these tools has been vetted by the community. None have hidden data collectors — at least, not yet. That’s the uncomfortable truth about browser extensions: you’re trusting the developer every time you click “Add to Chrome.”
The Bigger Picture: Trust in Browser Extensions
The ModHeader case isn’t an isolated incident. In 2023, Google removed dozens of extensions caught stealing user data. In 2024, a popular ad-blocker was found to be quietly sending browsing data to a marketing firm. The pattern keeps repeating.
Browser extensions are powerful. They can see everything you do — every page you visit, every form you fill, every password you type. That power makes them a prime target for bad actors. And even well-intentioned developers can make mistakes that compromise user privacy.
The ModHeader extension pulled story is a cautionary tale. It shows how quickly trust can evaporate. And it underscores why you should treat every extension as a potential risk — even one with 1.6 million installs and years of good reputation.
For now, the collector remains dormant. But the code is still there. And that’s enough to make anyone think twice.