Everyone is aware of browser extensions are embedded into practically each consumer’s each day workflow, from spell checkers to GenAI instruments. What most IT and security individuals do not know is that browser extensions’ extreme permissions are a rising threat to organizations.
LayerX at this time introduced the discharge of the Enterprise Browser Extension Safety Report 2025, This report is the primary and solely report back to merge public extension market statistics with real-world enterprise utilization telemetry. By doing so, it sheds gentle on one of the underestimated risk surfaces in trendy cybersecurity: browser extensions.
The report reveals a number of findings that IT and security leaders will discover fascinating, as they construct their plans for H2 2025. This contains data and evaluation on what number of extensions have dangerous permissions, which sorts of permissions are given, if extension builders are to be trusted, and extra. Under, we deliver key statistics from the report.
Highlights from the Enterprise Browser Extension Safety Report 2025
1. Browser extensions are ubiquitous in enterprise environments. 99%, practically all, of workers, have browser extensions put in. 52% have greater than 10 extensions put in.
Safety evaluation: Almost all workers are uncovered to browser extension threat.
2. Most extensions can entry crucial knowledge. 53% of enterprise customers’ extensions can entry delicate knowledge like cookies, passwords, internet web page contents, searching data, and extra.
Safety evaluation: An employee-level compromise might jeopardize all the group.
3. Who publishes these extensions? Who is aware of? Greater than half (54%) of extension publishers are unknown and solely recognized by way of Gmail. 79% of publishers solely printed one extension.
Safety evaluation: Monitoring the reputability of extensions is troublesome, if attainable in any respect with IT assets.
4. GenAI extensions are a rising risk. Over 20% of customers have a minimum of one GenAI extension, and 58% of those have high-risk permission scopes.
Safety evaluation: Enterprises ought to outline clear insurance policies for GenAI extension use and knowledge sharing.
5. Unmaintained and unknown browser extensions are a rising concern. 51% of extensions have not been up to date in over a yr, and 26% of enterprise extensions are sideloaded, bypassing even fundamental retailer vetting.
Safety evaluation: Extensions may be weak even when they don’t seem to be purposefully malicious.
5 Suggestions for Safety and IT
The report not solely brings knowledge, it additionally supplies actionable steering for security and IT groups, recommending the best way to cope with the browser extension risk.
This is what LayerX advises organizations:
- Audit all extensions – A full image of extensions is the muse for understanding the risk floor. Due to this fact, step one in securing towards malicious browser extensions is to audit all extensions in use by workers.
- Categorize extensions – Sure varieties of extensions that make them interesting to assault. This may be as a consequence of their broad consumer base (corresponding to GenAI extensions) or due to the permissions granted to such extensions. Categorizing extensions might help assess the browser extension security posture.
- Enumerate extension permissions – The subsequent step is to checklist the data extensions can entry. This helps additional map the assault floor and configure insurance policies in a while.
- Assess extension threat – Now it is time for threat administration. This implies assessing the danger for every extension primarily based on their permissions and the data they’ll entry. As well as, a holistic threat evaluation contains exterior parameters corresponding to repute, recognition, writer, and set up technique. Collectively, these parameters must be mixed right into a unified threat rating.
- Apply adaptive, risk-based enforcement – Lastly, organizations can use their evaluation to use adaptive, risk-based enforcement insurance policies tailor-made to their makes use of, wants, and threat profile.
Entry the Report
Browser extensions will not be only a productiveness device, they’re an assault vector most organizations have no idea exists. LayerX’s 2025 report supplies complete findings and data-driven evaluation to assist CISOs and security groups rein on this threat and construct defensible browser environments.
Obtain the complete report.
