Browser Extension Security: Risks and How to Protect Your Organization

Browser extensions are one of the most underestimated attack surfaces in enterprise security. They run with elevated privileges inside the browser, can access every website an employee visits, and are installed with minimal friction — often from third-party sources outside corporate app stores.

The 2023 DataSpii breach exposed browsing history from millions of users through legitimate-looking extensions that silently exfiltrated browsing data. In 2024, multiple Chrome extension supply chain attacks compromised developer credentials and modified extensions to inject malicious content. The threat is real, ongoing, and often invisible to security teams.

How the Extension Permission Model Works

Chrome (Manifest V3) and Firefox extensions request permissions at installation time. Users must approve them, but the approval dialog obscures the actual scope of access.

High-risk permissions:

Permission	What it grants	Risk
`<all_urls>`	Read/modify content on any website	Can steal credentials, session cookies, form data
`cookies`	Read/write cookies for any site	Session hijacking
`webRequest`	Intercept and modify network requests	MitM on any HTTP request
`tabs`	Access URLs and titles of all open tabs	Full browsing history
`storage`	Read/write browser storage	Persistence, data exfiltration
`nativeMessaging`	Communicate with native apps	Bypass browser sandbox
`clipboardRead`	Access clipboard contents	Steal passwords copied from managers

An extension requesting <all_urls> + cookies + storage has everything it needs to exfiltrate session tokens and impersonate users on any site — including your internal applications, email, and SaaS tools.

How Malicious Extensions Operate

Typosquatting and naming confusion: A malicious extension named "Adobe PDF Viewer Helper" or "Zoom Scheduler" placed in the Chrome Web Store with a similar icon to a trusted product. Users install it thinking it is legitimate.

Supply chain compromise: A legitimate extension is acquired by an attacker (or the developer's account is compromised via phishing). The attacker publishes an update with malicious code. Every existing user silently receives the update within hours.

Ad injection and click fraud: Extensions inject advertising into web pages, redirect searches, or simulate ad clicks for revenue. Lower severity than credential theft but still a policy violation.

Data exfiltration: Extensions read form field values (including passwords), capture keystrokes, exfiltrate browsing history, and harvest cookies. This data is transmitted to attacker-controlled infrastructure.

Credential harvesting: An extension observes the user logging into sites and captures credentials. The New Tab override is a common vector — the extension replaces the browser's new tab page with a fake portal that harvests credentials.

Session hijacking: By reading session cookies (possible with the cookies permission) and transmitting them to an attacker, the attacker can impersonate the victim without knowing their password.

Enterprise Control Policies

For Chrome, Google Chrome Enterprise and Microsoft Intune allow centralized control over extensions.

Chrome Enterprise via Group Policy / cloud policy

Allow only approved extensions (allowlist):

{
  "ExtensionInstallAllowlist": [
    "aapbdbdomjkkjkaonfhkkikfgjllcleb",  // Google Translate
    "hdokiejnpimakedhajhdlcegeplioahd",  // LastPass
    "nmmhkkegccagdldgiimedpiccmgmieda"   // Google Wallet
  ],
  "ExtensionInstallBlocklist": ["*"],
  "ExtensionInstallForcelist": [
    "gkojfkhlekighikafcpjkiklfbnlmeio"   // Force-install Securly or DLP extension
  ]
}

Block high-risk permissions:

{
  "ExtensionSettings": {
    "*": {
      "blocked_permissions": ["cookies", "clipboardRead"],
      "runtime_blocked_hosts": ["*://*.internal.company.com/*"]
    }
  }
}

Require review for extensions requesting sensitive permissions:

Rather than a blanket block, flag extensions requesting <all_urls>, cookies, or nativeMessaging for security review before approval.

Firefox Enterprise Policy

{
  "policies": {
    "Extensions": {
      "Install": ["https://approved-addons.company.com/extension.xpi"],
      "Uninstall": ["malicious@extension.id"],
      "Locked": ["important-security@company.com"]
    },
    "BlockAboutAddons": true,
    "ExtensionSettings": {
      "*": {
        "installation_mode": "blocked"
      },
      "approved-extension@company.com": {
        "installation_mode": "allowed_and_locked"
      }
    }
  }
}

Microsoft Edge via Intune

Edge integrates with Microsoft Intune and Microsoft Defender for Endpoint. The Configure extension management settings policy accepts the same JSON format as Chrome Enterprise.

Security Review Process for Extensions

Before approving an extension for the allowlist:

Verify the publisher — Is it from the vendor you expect? Check the CRX ID against the official vendor documentation.
Audit requested permissions — Does the permission set match the extension's stated function? A calculator extension requesting <all_urls> is suspicious.
Check update history — Has the extension changed publishers or had sudden permission escalations? Both are red flags.
Review with CRXcavator — Cisco's CRXcavator (crxcavator.io) scores Chrome extensions on risk based on permissions, CSP, and vulnerability history.
Check the Web Store review count and age — New extensions with few reviews are higher risk than established extensions with thousands of users.
Test in a sandbox — Install the extension in an isolated Chrome profile with Wireshark running. Observe what network connections it makes.
Annual re-review — Extensions change via silent updates. Re-validate the permission set annually.

Safe Extension Practices for Employees

Even in organizations without formal extension policies, these practices reduce individual risk:

Prefer built-in browser features over extensions. Modern Chrome, Firefox, and Edge have built-in PDF viewers, translation, and password managers.
Use browser profiles — Keep a clean work profile with only work-approved extensions. Use a separate personal profile for personal extensions. They cannot access each other's cookies or storage.
Review permissions before installing — If a grammar checker is requesting access to "read and change all your data on all websites," decline.
Remove unused extensions — Every extension is attack surface. Uninstall extensions you haven't used in 30 days.
Keep extensions updated — An outdated extension may be vulnerable. But also: check the changelog before updating high-trust extensions, as supply chain compromises often arrive via updates.

Monitoring and Detection

Even with allowlists, monitoring provides a safety net.

Log installed extensions via endpoint management. Alert on:

Extensions installed on managed devices that are not on the allowlist
Extensions with permissions not present during their initial review (permission escalation via update)
Network connections from browser processes to unusual destinations

Browser security solutions like Perception Point, Island Enterprise Browser, and Talon Security provide deeper visibility into extension behavior and the ability to enforce policies at runtime, including blocking specific network destinations from within extensions.

The pragmatic approach: implement a default-deny extension policy for privileged users (IT admins, finance, executive assistants, legal) even if the broader organization runs default-allow. The accounts most worth protecting against credential theft are those with the broadest access.