Browser Extensions: The Quiet Security Risk Lurking in Enterprise

Browser extensions have become deeply embedded in modern workflows—whether it’s spell checkers, ad blockers, or GenAI-powered productivity tools. While they offer convenience and enhanced user experience, a new report highlights how they also represent one of the most overlooked and underestimated attack surfaces in today’s enterprise landscape.

LayerX recently released the Enterprise Browser Extension Security Report 2025, the first report to combine marketplace data with real-world enterprise usage telemetry. The findings shine a light on the widespread use of browser extensions and the significant security implications they carry.

Browser Extensions Are Everywhere—And Risky

Below is a compiled list of findings reported by LayerX  

Browser extensions are nearly universal.
According to the report, 99% of employees have browser extensions installed, and over half (52%) have more than ten running at any given time. These tools have become indispensable, but their risks are largely invisible to security teams.

More than half of extensions access sensitive data.
An alarming 53% of extensions have permissions to access sensitive information such as cookies, passwords, browsing history, and the contents of web pages. This means a single compromised extension can create an entry point into critical enterprise data.

Extension publishers are often untraceable.
The majority of these extensions are published by unknown developers—54% are associated only with generic Gmail addresses. Additionally, 79% of publishers have released just a single extension, making it extremely difficult to evaluate their trustworthiness or maintain accountability.

GenAI Extensions: A Growing Threat Vector

GenAI tools in the browser have exploded in popularity—over 20% of users now have at least one installed. But often, these extensions routinely demand high‑risk permissions, often accessing data that businesses would never voluntarily share with third parties. Before rolling out any GenAI helper to your teams, establish clear policies on what data can be used, where it’s stored, and how it’s protected.

Outdated and Sideloaded Extensions Multiply the Risk

Outdated software is often vulnerable software, and browser extensions are no exception. The report finds that 51% of extensions haven’t received updates in over a year. On top of that, 26% of enterprise extensions are sideloaded—bypassing even the basic vetting provided by official extension marketplaces.

These extensions may not be malicious by design, but their lack of maintenance or scrutiny makes them prime targets for exploitation.

Five Recommendations for Security Teams

LayerX doesn’t just highlight the problem—it offers a roadmap for security and IT teams ready to tackle this risk head‑on:

1. Audit all browser extensions:
   • Visibility is the first step. Create a comprehensive inventory of all extensions installed across the organization.
2. Categorize extensions by function and user base:
   • Some extensions pose more risk than others due to their wide usage or elevated permissions. Prioritize high-impact categories like GenAI and productivity tools.
3. Enumerate extension permissions:
   • Document what each extension can access. This helps define your exposure and prioritize remediation.
4. Assess and score risk:
   • Evaluate each extension based on its permissions, reputation, developer information, popularity, and installation method. Consolidate this into a unified risk score.
5. Use adaptive, risk-based enforcement:
   • Use the risk scores to enforce policies that balance productivity and security—blocking high-risk extensions while allowing those that are safe and necessary.

Final Thoughts

Browser extensions are more than just productivity boosters—they’re a growing part of your enterprise attack surface. LayerX’s 2025 report is clear, it’s time to treat browser extensions with the same scrutiny as any other software in your network.

By combining visibility, policy, and adaptive enforcement, you can let your teams enjoy the benefits of browser extensions without sacrificing security. With the right approach, you’ll turn these potential liabilities into managed assets—and keep your data, and your business, safe.