[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

ModHeader - Modify HTTP headers

Version 7.0.14 View in Chrome Web Store

Last scanned: about 12 hours ago

Extension Details

Developer: modheader.com

Rating: 3.0 ★ (1.2K ratings)

Users: 900,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a substantial user base of 900,000 users, indicating widespread adoption. However, the relatively low rating of 3.0 out of 5 with 1,200 reviews suggests user dissatisfaction or concerns. The extension's purpose - modifying HTTP headers - is legitimate for developers and testers, but the broad permissions raise security concerns.

Concerns:

The extension requests extremely broad permissions that create significant security risks. The webRequest permission combined with <all_urls> host permissions allows complete interception and modification of all web traffic. Content script injection across all websites enables the extension to read sensitive data, modify page content, or potentially steal credentials from any site you visit. The declarativeNetRequest and scripting permissions further expand its ability to manipulate web requests and inject code. These permissions far exceed what's typically necessary for basic header modification functionality.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to development work to isolate it from personal browsing. Only enable the extension when actively needed for development or testing purposes. Regularly review what headers you're modifying and disable the extension immediately after use. For casual users, consider alternative tools that don't require such broad permissions. Monitor your network traffic when the extension is active and be cautious about using it while accessing sensitive websites like banking or email services.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

alarms
contextMenus
storage
webRequest
declarativeNetRequest
scripting

Optional Permissions:

contentSettings
browsingData

Host Permissions:

<all_urls>

Embedded URLs (22 total):

https://clients2.google.com/service/update2/crx	http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd
http://www.w3.org/2000/svg	http://www.w3.org/1999/xlink
https://modheader.com	https://modheader.com/profile/
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/declarativeNetRequest/ModifyHeaderInfo#header_limits	https://modheader.com/?ref=me
https://modheader.com/review?browser=	https://modheader.com/docs
https://modheader.com/docs/embed	https://modheader.com/docs/profiles/auto-sync-profile
https://stuk.github.io/jszip/documentation/howto/read_zip.html	https://github.com/csstree/csstree/issues
https://tinyurl.com/y2uuvskb	http://bit.ly/2kdckMn
https://npms.io/search?q=ponyfill.	https://api.stanfordstudies.com/app/log
https://www.extensions-hub.com/partners/uninstalled/?name=ModHeader	https://www.extensions-hub.com/partners/installed/?name=ModHeader
https://www.extensions-hub.com/partners/updated/?name=ModHeader	https://github.com/material-components/material-components-web/issues/31

Raw Manifest

{
  "name": "ModHeader - Modify HTTP headers",
  "icons": {
    "16": "images/icon_16.png",
    "48": "images/icon_48.png",
    "128": "images/icon_128.png"
  },
  "action": {
    "default_icon": {
      "16": "images/icon_16.png",
      "48": "images/icon_48.png",
      "128": "images/icon_128.png"
    },
    "default_popup": "src/popup_v1.html",
    "default_title": "Modheader"
  },
  "author": "modhader@",
  "version": "7.0.14",
  "background": {
    "type": "module",
    "service_worker": "serviceWorker.js"
  },
  "options_ui": {
    "page": "src/app_v1.html",
    "open_in_tab": true
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Modify HTTP request headers, response headers, and redirect URLs",
  "permissions": [
    "alarms",
    "contextMenus",
    "storage",
    "webRequest",
    "declarativeNetRequest",
    "scripting"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "src/js/service/content_script_vite.js"
      ],
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "optional_permissions": [
    "contentSettings",
    "browsingData"
  ],
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "assets/AppVite-041b9295.css",
        "assets/AppVite-af7ada5f.js",
        "assets/IconBtn-94c9cb85.js",
        "assets/_commonjsHelpers-187a63f9.js",
        "assets/browser-polyfill-c2a30efe.js",
        "assets/dayjs.min-6a736ee8.js",
        "assets/isObjectLike-7962ce13.js",
        "assets/renderContent-9d534bdd.js",
        "assets/src/js/service/content_script_vite-c387a50d.js",
        "images/*"
      ]
    }
  ]
}

by ✦ Astarte

ModHeader - Modify HTTP headers

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Optional Permissions:

Host Permissions:

Embedded URLs (22 total):

Raw Manifest

Detections

Manifest Findings