Browser extensions make nearly every employee a potential attack vector

Despite being present on virtually every employee’s browser, extensions are rarely monitored by security teams or controlled by IT, according to LayerX.

Most extensions have access to sensitive data

99% of enterprise users have at least one extension installed in their browsers, and 53% have more than 10 browser extensions. This widespread usage means almost every employee represents a potential attack vector.

53% of enterprise users have installed a browser extension with “high” or “critical” permission scopes. These extensions can access cookies, passwords, browsing data and more, meaning that enterprise users are at a higher risk of exposure.

Over 20% of enterprise users have a GenAI-enabled browser extension installed. These tools can bypass corporate GenAI access controls and gain privileged access to sensitive data at twice the rate of other extensions.

GenAI extensions tend to be riskier than average: 58% of GenAI extensions have “high” or “critical” permissions, such as cookies, identities or scripting at twice the average rate of all other extensions, making it a particularly large risk.

How well an organization can trust an extension often depends on the reputation of the extension publisher. 54% of extension publishers use a free webmail account, and 79% have only published a single extension. Additionally, 22% of extensions are less than six months old. With little-to-no information to go by to establish credibility, establishing the trustworthiness of extensions is virtually impossible.

Unmaintained browser extensions pose a growing threat

51% of all extensions haven’t received updates in over a year. Not only does this open extensions up to software vulnerabilities and supply-chain risks, but it also raises the risk of abandoned extensions that no one is maintaining: 25% of extensions haven’t received an update in a year, and are published by publishers identified only by a Gmail account, raising the possibly that these are ‘hobbyist’ extensions that have been abandoned.

Using a free webmail account, of itself, is not necessarily an indicator that a developer or an extension are malicious or should not be trusted. However, this low entry bar makes it easy for bad actors to create fake identities and publish malicious extensions to unsuspecting users.

“Browser extensions have quietly become one of the most overlooked threat surfaces in enterprise environments,” said Or Eshed, CEO LayerX Security. “Our latest report shows that extensions are not only everywhere in the enterprise, they’re also highly privileged, largely unvetted and often tied to anonymous publishers probing a risk to security leaders that they no longer afford to ignore.”

While Chrome, Edge and Firefox are the most common stores for extensions, the browser extension threat surface goes much wider. According to LayerX’s telemetry data from its user base, 17% of extensions installed on enterprise endpoints are from non-official stores, and 26% were side loaded, meaning they were deployed installed directly into the browser by another process or application.