In the digital age, the tools we use can often turn against us. A recent study by LayerX highlights a shocking reality: browser extensions, ubiquitous among employees, are rarely monitored or controlled by IT security teams, turning almost every worker into a potential entry point for cyber attacks.

The Alarming Risk of Browser Extensions

With 99% of enterprise users having at least one browser extension, and over half boasting more than ten, these tools pose significant risks. A staggering 53% of users have installed extensions with 'high' or 'critical' permission scopes, enabling access to sensitive information such as passwords, cookies, and browsing history. This widespread integration means that employees are unwittingly exposing their organizations to serious risk.

Generative AI Extensions: A Double-Edged Sword

Adding to the concern, more than 20% of enterprise users have GenAI-enabled extensions installed. These extensions can bypass corporate access controls, gaining privileged access to sensitive data at alarming rates—doubling the risk compared to standard extensions. Notably, 58% of GenAI extensions have 'high' or 'critical' permissions, making them especially dangerous.

Tainted Trust: How Safe Are Your Extensions?

Trust is a luxury when it comes to browser extensions. Surprisingly, 54% of extension publishers utilize free webmail accounts, and a jaw-dropping 79% have only released a single extension. With 22% of these extensions being less than six months old, their credibility is nearly impossible to gauge, leaving organizations vulnerable.

The Dangers of Abandonment

A further threat arises from unmaintained extensions. A whopping 51% of all extensions have not received updates in over a year, exposing them to vulnerabilities and raising the risk of abandoned tools that could harbor hidden exploits. Particularly concerning are the 25% of extensions tied to anonymous Gmail accounts, which often indicates a lack of oversight and higher potential for malicious intents.

The Urgent Call for Awareness

As Or Eshed, CEO of LayerX Security, sharply points out, "Browser extensions have quietly become one of the most overlooked threat surfaces in enterprise environments." With 17% of extensions coming from non-official stores and 26% being side-loaded—installed directly via other processes—the security threat extends far beyond traditional platforms. It’s time for organizations to prioritize monitoring and management of browser extensions to avoid becoming easy targets for cybercriminals.