Chrome and Edge Yank ModHeader Extension After Hidden History Collector Found
The browser add-on had 1.6 million users. A dormant tracker sat inside its official store version, though no evidence suggests it ever ran.

Key points
- Google and Microsoft removed the ModHeader extension from the Chrome Web Store and the Edge Add-ons store after researchers found a hidden browsing-history collector inside the official version.
- The extension had roughly 1.6 million combined installs across Chrome and Edge.
- The collector was dormant, held back by an empty allow-list, and no proof has emerged that it ever gathered or sent any browsing data.
- Users are advised to remove the extension and review which other add-ons have permission to read their browsing activity.
Google and Microsoft have pulled a widely used browser add-on called ModHeader after security researchers spotted code inside it that was quietly built to log where users go on the web.
ModHeader is a developer tool. It lets people change the little pieces of information a browser sends to a website, which is useful for testing. About 1.6 million people had installed it across Google Chrome and Microsoft Edge.
The hidden feature was a browsing-history collector. In plain terms, it was code that could record the domains a user visits and send that list somewhere else. On the version sitting in the official stores, the collector was switched off. It relied on an allow-list, a short register of sites it was permitted to watch, and that list was empty.
So nothing was captured. Nothing was sent. But the machinery was there, waiting.
Should users be worried?
Not about past data theft, based on what has been found so far. Researchers, whose findings were first reported by The Hacker News, say there is no evidence the collector ever ran against real users. The concern is that the code existed at all inside an extension trusted by more than a million people.
Browser extensions sit in a sensitive spot. To do their job, many of them ask for permission to read and change every page you visit. That permission is fine when the extension behaves. It becomes a serious problem the moment the extension changes hands, updates itself, or ships code that can be flipped on remotely.
That is the shape of the risk here. A single future update, or a single change to the allow-list on a server somewhere, could have turned a dormant feature into an active tracker across a large user base. Neither store has said publicly whether the developer added the code deliberately, whether an account was hijacked, or whether a third-party library pulled it in.
What should ModHeader users do now?
Remove it. In Chrome, open the three-dot menu, go to Extensions, and click Remove next to ModHeader. In Edge, the path is the same under the puzzle-piece icon. Both browsers will also disable the extension automatically once the store listing is pulled, but manual removal is cleaner.
While you are there, look at your other extensions. Two questions are worth asking about each one. Do you still use it? And does it really need permission to read data on every website you visit?
For businesses, the lesson is sharper. Extensions installed by staff on work machines can read internal web apps, email interfaces and customer portals. Many IT teams do not keep a list of which add-ons are running on which laptops. A managed allow-list of approved extensions, pushed through browser policy, closes that gap.
Google and Microsoft have not published a formal advisory linking the takedown to a specific policy clause, and neither store has issued a CVE for the finding. Researchers are still combing through older versions of the extension to see whether the collector ever pointed at a live target. If that changes, the picture changes with it.
For now, the safest reading is this: a popular tool shipped with a loaded but unfired weapon inside it, and two of the biggest browser vendors decided that was reason enough to remove it from sale.



