- LayerX says enterprises are using tens of extensions daily
- Many are built by anonymous individuals
- Some have extensive permissions, putting sensitive data at risk
Browser extensions are increasing the attack surface, putting employees and businesses at risk. This is according to the 2025 Enterprise Browser Extension Security Report, a new paper published by LayerX, a cybersecurity company specializing in securing web browsing for enterprises.
The document was drafted by combining data from public extension marketplaces and real-world enterprise usage telemetry, LayerX said.
The improvements extensions bring to everyday browsing are undeniable, LayerX said, describing them as “ubiquitous”. Virtually all enterprises (99%) have at least one installed, and more than half of analyzed organizations (52%) are running more than ten extensions.
Extensions add risk
Extensions are pieces of software that add features or functionality to web browsers. These can be anything from blocking ads, managing passwords, to enhancing productivity. They can be built by both companies and independent (and anonymous!) developers, and can be found in browser-specific stores like the Chrome Web Store or Firefox Add-ons site.
However, the researchers also claim they are dangerous, since 53% of installed extensions in enterprise environments have ‘high’ or ‘critical’ risk permissions, allowing access to sensitive data. Also, more than 20% of enterprise employees are now using GenAI extensions, more than half (58%) of which also have ‘high’ or ‘critical’ permissions.
Trouble is further compounded by the fact that the identity of the extension’s developer is, in many cases, unknown. More than half (54%) of extensions are published anonymously, and 79% of publishers have only released one extension, “making trust assessment extremely challenging”. Finally, 51% of extensions haven’t received an update in more than a year, while 26% are sideloaded, bypassing security vetting.
To mitigate the threat, enterprises should audit all browser extensions, categorize them to understand their risk profiles, and enumerate and analyze their permissions “meticulously,” LayerX suggested. They should also perform comprehensive risk assessments and enforce adaptive, risk-based security policies.
Via BleepingComputer
Leave a comment