- Layerx says that companies are using dozens of extensions daily
- Many are built by anonymous individuals
- Some have extensive permissions, putting confidential data at risk.
The browser extensions are increasing the attack surface, putting employees and companies at risk. This is according to the Browser Enterprise 2025 extension report, a new article published by Layerx, a cybersecurity company specialized in ensuring web navigation for companies.
The document was written by combining data from the public extension markets and the business use telemetry of the real world, Layerx said.
The extensions of improvements contributing to daily navigation are undeniable, Layerx said, describing them as “ubiquitous.” Virtually all companies (99%) have at least one installed, and more than half of the organizations analyzed (52%) are executing more than ten extensions.
Extensions Add risk
Extensions are software parts that add characteristics or functionality to web browsers. These can be anything, from blocking ads, managing passwords, to improve productivity. They can be built by independent companies and developers (and anonymous!), And they can be found in specific browser stores such as the Chrome web store or the Firefox accessories site.
However, researchers also claim that they are dangerous, since 53% of the extensions installed in business environments have ‘high’ or ‘critical’ risk permits, which allows access to confidential data. In addition, more than 20% of business employees are now using Genai extensions, more than half (58%) of which also have ‘high’ or ‘critical’ perte permits.
The problem is further aggravated by the fact that the identity of the extension developer is, in many cases, unknown. More than half (54%) of the extensions are published anonymously, and 79% of the editors have only published one extension, “making the evaluation of confidence extremely challenging.” Finally, 51% of the extensions have not received an update in more than a year, while 26% stood out, avoiding security research.
To mitigate the threat, companies must audit all browser extensions, classify them to understand their risk profiles and list and analyze their permits “meticulously,” Layerx suggested. Integral risk assessments must also carry out adaptive and risk -based security policies.
Through Bleepingcomputer
