Browser extensions are a security risk.
That extension you installed five years ago can be sold, updated, or hijacked into malware overnight — and you'd never know until it already happened.
Browser extensions have huge permissions. Many can read every page you visit, capture form data, see cookies, and modify what you see. That's fine for a well-maintained extension from a reputable vendor. It's a disaster when a popular extension is sold, abandoned, or hacked.
How legitimate extensions go bad
Developers sell their extensions to new owners who monetize aggressively — sometimes by turning them into data collectors or ad injectors. Or an extension's author gets phished and the updated version rolls out to users automatically. In both cases, the trust you gave the extension in 2020 is now trust an attacker is exploiting, and you'd never notice because the icon didn't change.
Real-world examples
“A PDF-merging extension with 500K users was sold to a new owner.”
Red flag: Within weeks it was harvesting form data from every page users visited. Credentials, credit cards, session cookies — all captured.
“A developer's extension was hijacked via a phishing email that compromised her Chrome Web Store account.”
Red flag: A malicious version pushed to every user overnight. Ten days before it was caught and removed.
How to manage the risk
- Audit browser extensions on every company device quarterly. Remove anything not in active use.
- Use a browser management policy (Chrome Enterprise, Edge) to allowlist approved extensions.
- For high-value users (executives, finance), allowlist only known, vetted extensions — no personal installs.
- Check permissions — an extension asking to "read all your data on all websites" is an extension to question.
- Prefer vendor-maintained extensions over individual developer ones.
Browser management is underrated.
Chrome Enterprise and Edge both ship with the ability to allowlist extensions for free. We'll help you set it up.
- 1Audit extensions on every company device this month. Remove the unused ones.
- 2Turn on browser management in Chrome Enterprise or Edge to enforce the approved list.
- 3Allowlist only vetted extensions for finance and executive users.
- 4Review extension permissions before installing anything new.
- 5Add a quarterly extension audit to your ongoing security cadence.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Microsoft 365 settings every business should turn on.
Microsoft 365 ships with insecure defaults. Five settings take under an hour and shut the door on the most common cloud attacks.
ReadTip #18 · Cloud & SaaSShadow IT is hurting your business.
Every month, employees sign up for tools you don't know about. Shadow IT leaks data, breaks compliance, and multiplies your attack surface.
Read