Browser extensions are a significant and under-appreciated security risk for businesses. Here is how they can harvest your data, what happens when they go rogue, and how to audit and manage them properly.
Browser extensions are one of the most commonly overlooked security risks in a business environment. Staff install them freely - a grammar checker here, a screen capture tool there, a shopping discount finder someone installed on their lunch break - and they accumulate quietly in the background, often with permissions that would alarm most people if they thought about them for thirty seconds.
This is not a theoretical concern. There are documented cases of widely used, positively reviewed browser extensions being sold to malicious actors, updated with data-harvesting code, or compromised through developer account takeovers. When this happens, every business using the extension is affected - often without knowing it.
What Browser Extensions Can Actually Do
When you install a browser extension, you grant it permissions. The problem is that most people click through the permissions screen without reading it - and even those who do read it may not fully grasp what the permissions mean in practice.
Common permissions that extensions request, and what they actually enable:
“Read and change all your data on the websites you visit” - This is the broadest permission, and it is alarmingly common. An extension with this permission can read every page you view, including pages where you are logged into banking, email, internal business systems, or anything else. It can read form fields - including username and password fields - before you submit them. It can modify the content of pages you view. This permission is not rare; it is granted by default by many utilities, including ad blockers, grammar checkers, and productivity tools.
“Read your browsing history” - The extension can see every URL you visit, with timestamps. This alone is significant data for profiling purposes or targeted attacks.
“Access your clipboard” - Can read anything you copy to your clipboard, including passwords, confidential business data, and authentication codes.
“Display notifications” - Can display messages on your screen, potentially used for social engineering.
“Access tabs and browsing activity” - Knows what tabs you have open, when you switch between them, and can open or close tabs.
For many legitimate extensions - an ad blocker, for instance - broad permissions are genuinely required for the tool to function. But those same permissions, in the hands of a malicious or compromised extension, create a serious risk.
How Extensions Go Bad
Not all dangerous extensions start out malicious. Several distinct paths lead to a trustworthy extension becoming a threat:
Sale of the extension. A developer builds a useful tool, grows a user base, then sells it. The buyer’s motivation is not always continued development - sometimes it is the existing permissions and user base. After a quiet period, the new owner pushes an update that adds data-harvesting functionality. Users see an update notification and approve it without scrutiny.
Developer account compromise. If the developer’s extension publishing account is compromised, an attacker can push a malicious update to all users. Chrome Web Store and Firefox Add-Ons both require updates to be signed, but if the legitimate developer’s credentials are taken, the attacker can sign and push a malicious update legitimately.
Malicious extensions in official stores. Google and Mozilla review extensions in their respective stores, but review processes are imperfect. Malicious extensions have been published, sometimes remaining available for weeks or months before removal. Extensions designed to look like legitimate tools - fake versions of well-known utilities - are particularly common.
Permissions creep over updates. Extensions sometimes expand their permissions over time through updates. A tool that originally requested minimal permissions may, after several updates, be requesting access to everything.
Real-World Impact for Businesses
The practical consequences of a compromised or malicious extension in a business environment include:
- Credential theft - passwords to business systems, email accounts, financial platforms captured as staff type them
- Session hijacking - session cookies stolen, allowing the attacker to access systems without needing passwords
- Data exfiltration - confidential documents, communications, and client data viewed and exfiltrated silently
- Business email compromise setup - attackers gaining access to email accounts to conduct fraud
- Ransomware delivery - extensions can redirect users to malicious pages or download malicious files
A single staff member running a compromised extension on a shared business device can expose the entire business.
How to Audit Browser Extensions in Your Business
Start with visibility. Most organisations have no inventory of what extensions are installed across their fleet.
For Microsoft 365 environments managed with Intune/Endpoint Manager: Microsoft Edge extensions can be managed and reported through Intune. You can see what is installed, block specific extensions, and allow-list only approved extensions.
For Google Chrome in Google Workspace environments: Chrome Browser Cloud Management (free with Google Workspace) lets administrators see what extensions are installed across enrolled devices and set policies to restrict installation.
Manual audit: Ask staff to open their browser’s extensions page (chrome://extensions in Chrome, edge://extensions in Edge) and review what is installed. For each extension: do you know what it does, did you intentionally install it, and is it still needed?
Questions to ask about each extension:
- Who developed it - is the developer identifiable and reputable?
- What permissions does it have - are those permissions proportionate to its function?
- When was it last updated?
- Has it been reviewed recently in security publications?
- Is it still actively maintained?
Managing Extension Risk Going Forward
Implement an extension policy. Define which browser extensions are approved for business use. Approved extensions should be the minimum necessary. Tools with broad data-access permissions that are not essential to business operations should be removed.
Use managed browser profiles. In environments managed with Intune or Chrome Enterprise, enforce the use of a managed browser profile for business activity. This separates work browsing from personal browsing and allows you to apply different extension policies to each.
Require explicit approval for new extensions. Staff should not be able to install extensions on business devices without IT approval. This is enforceable via group policy on Windows and via Chrome or Edge management policies.
Conduct periodic reviews. Extension inventories drift over time. Review installed extensions across your fleet quarterly, or whenever a new security advisory is published.
Keep extensions updated. While malicious updates are a risk, unpatched extensions with known vulnerabilities are a larger one. Ensure automatic updates are enabled and that your estate is actually receiving them.
A Note on Consumer Browsers on Business Devices
Many businesses allow staff to use personal browser profiles - or entirely personal devices - for some business activities. These environments are not manageable centrally. If business systems are accessed on unmanaged devices with uncontrolled browser extensions, the risk profile is significantly higher. Zero-trust network access (ZTNA) and device compliance checks can help manage this, but the simplest mitigation is a clear policy: business systems are accessed from managed devices with managed browser configurations.
Browser extension risk is manageable with the right policies and tools in place. If you would like help auditing your current extension estate or implementing browser management controls across your Melbourne business, contact CX IT Services. It is one of those controls that costs relatively little but meaningfully reduces your attack surface.
