{"id":289151,"date":"2026-07-13T13:17:00","date_gmt":"2026-07-13T17:17:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/13\/google-and-microsoft-pull-modheader-with-1-6-million-installs-after-dormant-collector-found\/"},"modified":"2026-07-13T19:05:08","modified_gmt":"2026-07-13T23:05:08","slug":"google-and-microsoft-pull-modheader-with-1-6-million-installs-after-dormant-collector-found","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/13\/google-and-microsoft-pull-modheader-with-1-6-million-installs-after-dormant-collector-found\/","title":{"rendered":"Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/google-and-microsoft-pull-modheader.html\">Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/google-and-microsoft-pull-modheader.html\">https:\/\/thehackernews.com\/2026\/07\/google-and-microsoft-pull-modheader.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-13 13:17:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Google and Microsoft have pulled <strong>ModHeader<\/strong>, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version.<\/p>\n<p>The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain.<\/p>\n<p>The analysis came from\u00a0Stripe OLT, a UK security firm, which checked the code against Google&#8217;s own Web Store signature and confirmed the collector shipped inside the genuine extension, not a counterfeit.<\/p>\n<p>Its review covers the Chrome build and its roughly 900,000 users; third-party trackers put another 700,000 or so on Edge. Microsoft pulled the Edge listing on July 3, and Google removed the Chrome one a week later, on July 10.<\/p>\n<p>Version\u00a07.0.18\u00a0(extension ID\u00a0idgpnmonknjnojddfkpgkljpfnnfcklj) still edits HTTP headers as advertised. The same minified background code also contains a second system. On first run, it builds a device fingerprint and loads a hardcoded encryption key. As you browse, it takes the domain from each page you open, encrypts it, and stores it locally, up to\u00a01000\u00a0distinct domains.<\/p>\n<p>Once a day, a scheduler bundles the encrypted list with your fingerprint, posts it to\u00a0api.stanfordstudies[.]com, and wipes the local copy. The upload time is offset per install, so browsers running it would not all beacon at once if the collector were switched on. Separate teardowns, by\u00a0HackIndex\u00a0on version\u00a07.0.18\u00a0and researcher\u00a0Yunus Aydin\u00a0on\u00a07.0.17, describe the same pipeline.<\/p>\n<p>The collector runs only if your browser matches an entry on an internal allow-list, and that list ships empty. The check fails every time, so the pipeline stops before it collects a single domain. Populating that list is a small change, with no new permissions and no click from you, delivered as a routine update. The hardcoded key, the endpoint URL, the scheduler, and the storage logic are already&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/google-and-microsoft-pull-modheader.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found https:\/\/thehackernews.com\/2026\/07\/google-and-microsoft-pull-modheader.html Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":289152,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSvBtzUXyAbjgtvPJVS9zZ29ULkaIs0fMMa53ZKSip2pJbZ7_HMTGn3SV27X28JLwaq9atS1B_jvH_7qgfsjW0wyVDV_jGyqFSyO-z_vHuoigCy14xfb7DKuuWGIMUVeLiOhnap1yICNPEC2OUkA0d_e8RXtPs7oTo3BAz9I2DTxRwg67vgObResLQ7c4\/s1600\/browser-edge.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[],"class_list":["post-289151","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289151"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=289151"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289151\/revisions"}],"predecessor-version":[{"id":289153,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289151\/revisions\/289153"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/289152"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=289151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=289151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=289151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}