In today’s digital landscape, browser extensions have become integral tools for enhancing productivity and customizing user experiences. From grammar checkers to AI-powered assistants, these add-ons offer a plethora of functionalities. However, a recent report by LayerX, titled the Enterprise Browser Extension Security Report 2025, sheds light on the potential security risks these extensions pose to enterprise environments.
Pervasiveness of Browser Extensions in Enterprises
The report reveals that an overwhelming 99% of employees have browser extensions installed, with over half (52%) having more than ten extensions. This ubiquity underscores the deep integration of extensions into daily workflows. However, it also highlights the expansive attack surface they create, making enterprises vulnerable to potential security breaches.
Access to Sensitive Data
A significant concern is that 53% of these extensions can access sensitive data, including cookies, passwords, web page contents, and browsing histories. Such extensive permissions mean that a single compromised extension could jeopardize an entire organization’s data integrity. This aligns with findings from Georgia Tech researchers, who identified over 3,000 extensions that automatically collect user-specific data, affecting tens of millions of users. Alarmingly, more than 200 of these extensions directly extracted sensitive user data from web pages and uploaded it to external servers. ([news.gatech.edu](https://news.gatech.edu/news/2024/09/17/study-finds-thousands-browser-extensions-compromise-user-data?utm_source=openai))
Anonymity of Extension Publishers
The report also highlights the opacity surrounding extension publishers. Over half (54%) of extension publishers are unidentified, often using generic Gmail addresses. Furthermore, 79% of these publishers have released only a single extension. This lack of transparency complicates the task of assessing the credibility and trustworthiness of extensions, posing challenges for IT departments aiming to secure their networks.
The Rise of GenAI Extensions
The advent of Generative AI (GenAI) has led to a surge in related browser extensions. The report notes that over 20% of users have at least one GenAI extension installed, with 58% of these possessing high-risk permission scopes. While these tools offer advanced capabilities, their extensive permissions can be exploited if not properly managed, necessitating clear policies for their use within enterprises.
Concerns Over Unmaintained and Sideloaded Extensions
Maintenance and update frequency are critical for software security. The report indicates that 51% of extensions haven’t been updated in over a year, potentially leaving them vulnerable to exploits. Additionally, 26% of enterprise extensions are sideloaded, bypassing standard store vetting processes. These factors increase the risk of introducing malicious or outdated code into enterprise systems.
Real-World Implications
The risks associated with browser extensions are not merely theoretical. In December 2024, a phishing campaign targeted Chrome extension developers, leading to the compromise of at least 35 extensions used by approximately 2.6 million users. These hijacked extensions were modified to inject data-stealing code, underscoring the potential for widespread data breaches originating from seemingly innocuous add-ons. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/?utm_source=openai))
Recommendations for Enterprises
To mitigate the risks posed by browser extensions, LayerX offers the following recommendations:
1. Comprehensive Extension Audit: Enterprises should conduct thorough audits of all extensions in use to understand the full scope of their attack surface.
2. Categorization of Extensions: Identifying and categorizing extensions based on their functionality and permissions can help in assessing potential risks.
3. Permission Enumeration: Listing the permissions granted to each extension provides clarity on the data they can access, aiding in risk assessment.
4. Risk Assessment: Evaluating each extension’s risk based on permissions, publisher credibility, and update history is crucial for informed decision-making.
5. Implementation of Security Policies: Establishing clear policies regarding the installation and use of extensions can prevent unauthorized or risky add-ons from compromising enterprise security.
Conclusion
While browser extensions offer valuable functionalities, their potential to access sensitive data necessitates vigilant management within enterprise environments. By understanding the risks and implementing proactive security measures, organizations can harness the benefits of extensions without compromising their data integrity.
