Skip to main content

Enterprise Browser Extension Security Report 2025 Reveals Major Security Risks

Think Pentest
by Think Pentest
Apr 20, 2025 10:07:24 PM

LayerX has released the groundbreaking "Enterprise Browser Extension Security Report 2025," highlighting significant security vulnerabilities in browser extensions that pose substantial risks to organisations. This first-of-its-kind report combines public extension marketplace data with enterprise usage telemetry to expose one of the most overlooked threat surfaces in cybersecurity.

Key Findings

  1. Ubiquitous Presence: Browser extensions are present in virtually all enterprise environments, with 99% of employees having extensions installed and 52% using more than 10 extensions.
  2. Access to Critical Data: A majority (53%) of enterprise users' extensions can access sensitive information including cookies, passwords, web page contents, and browsing data.
  3. Unknown Publishers: Over half (54%) of extension publishers are unidentifiable beyond a Gmail address, and 79% have only published a single extension, making reputation tracking nearly impossible.
  4. GenAI Extension Risks: More than 20% of users have at least one GenAI extension installed, with 58% of these extensions having high-risk permission scopes.
  5. Maintenance Concerns: 51% of extensions haven't received updates in over a year, while 26% of enterprise extensions are sideloaded, bypassing standard store security vetting.

Recommendations for Security Teams

The report offers practical guidance for addressing browser extension threats:

  1. Complete Extension Audit: Develop a comprehensive inventory of all browser extensions used across the organisation.
  2. Extension Categorisation: Identify and categorise extensions based on their function and potential risk profiles.
  3. Permission Analysis: Document the specific permissions granted to each extension to understand potential access to sensitive data.
  4. Risk Assessment: Create a unified risk scoring system incorporating permissions, publisher reputation, popularity, and installation method.
  5. Risk-Based Enforcement: Implement adaptive policies tailored to organisational needs and risk tolerance.

Browser extensions have become deeply integrated into daily workflows, from spell checkers to AI productivity tools. However, as this report demonstrates, they also represent a significant and largely unaddressed security vulnerability that demands immediate attention from IT and security leaders as they develop their cybersecurity strategies for the latter half of 2025.

Read more here

Related Articles