- Layerx says companies use tens of thousands of extensions daily
- Many are built by anonymous individuals
- Some have extensive permissions that put sensitive data at risk
Browser extensions increase the surface of the attack and put employees and businesses at risk. According to 2025 Enterprise Browser Extension Security Report, a new paper published by Layerx, a cyber security company specialized in securing web browsing for companies.
The document was prepared by combining data from marketplaces for public expansion and the real world to business use telemetry, Layerx said.
The improvement extensions bring to everyday browsing are undeniable, Layerx said, describing them as “ubiquitous”. Almost all companies (99%) have at least one installed, and more than half of analyzed organizations (52%) run more than ten extensions.
Extensions add risk
Extensions are pieces of software that add features or functionality to web browsers. These can be anything from blocking ads, controlling passwords to improving productivity. They can be built by both businesses and independent (and anonymous!) Developers and can be found in browser-specific stores such as Chrome Web Store or Firefox Add-on-Web site.
However, the researchers also claim that they are dangerous as 53% of installed extensions in corporate environments have ‘high’ or ‘critical’ risk images, giving access to sensitive data. In addition, more than 20% of business employees now use Genai extensions, of which more than half (58%) also have ‘high’ or ‘critical’ permits.
The problem is further aggravated by the fact that the identity of the expansion developer is in many cases unknown. More than half (54%) of extensions are published anonymously and 79% of publishers have only released an extension, “making trust assessment extremely challenging”. Finally, 51% of the extensions have not received an update of more than one year, while 26% sidelasted and bypassing security.
In order to mitigate the threat, companies must revise all browser extensions, categorize them to understand their risk profiles and enumerate and analyze their permits “carefully”, Layerx suggested. They should also perform extensive risk assessments and enforce adaptive, risk -based security policies.
Via Bleeping computer
