Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version.
The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain.
The analysis came from Stripe OLT, a UK security firm, which checked the code against Google's own Web Store signature and confirmed the collector shipped inside the genuine extension, not a counterfeit.
Google and Microsoft pulled ModHeader after researchers found a dormant collector built to encrypt and upload up to 1,000 visited domains.
thehackernews.com