ModHeader removed over hidden data exfiltration risks
ModHeader was a highly popular browser extension used to edit HTTP request and response headers. It had ~1.6 million installs across Chrome and Edge at the time of its removal.
It was extremely popular among software professionals. I work in a content distribution company that offers many reverse proxy-based solutions, which is where I had my first encounter with ModHeader and got hooked. It has been an extremely efficient tool for testing, as well as a great help for troubleshooting many problems.
Stripe OLT (part of the Littlefish Group), a UK-based cybersecurity service provider, published an analysis report exposing the hidden exfiltration capability in this extension.
Stripe OLT statement:
We found dormant surveillance functionality in a trusted Chrome Web Store extension with around 900,000 users, including the ability to collect, encrypt and potentially exfiltrate browsing-domain data. Our analysis explains how we discovered and verified it, and what security teams can do to detect related activity.
Report Details:
Underneath this genuine and functional header-editing tool, version 7.0.18 contains:
- A browsing history collection engine that fingerprints the device, encrypts each visited domain with a hardcoded AES-GCM key, and stages the data in a local database.
- A prebuilt exfiltration channel designed to upload that encrypted history, roughly once per day, to a likely attacker-controlled endpoint api.stanfordstudies.com.
- Install, update, and uninstall telemetry beaconed to a second third-party domain extensions-hub.com.
- A content script that injects into every website visited and logs request metadata to a local store.
Because ModHeader was such a popular extension for testing and debugging, many engineers likely input bearer tokens, API keys, cookies, and other secrets into the tool. This exfiltration capability could have leaked and exposed this sensitive data to an attacker-controlled backend. Based on Stripe OLT’s analysis, that backend was stanfordstudies.com.
Please note that this domain has no link to Stanford University; rather, it is an aged, repurposed domain.
This incident also teaches us an important lesson: the growing reliance on easy-to-use extensions comes with a hidden risk of data leakage and exposure behind the scenes.
Following the Stripe OLT disclosure, Google and Microsoft removed ModHeader from their official stores. Here are two screenshots from Chrome confirming it is no longer available:

