Malicious browser extensions have become a persistent problem for organisational security teams, and one that doesn’t get nearly enough attention. They’ve been used for session and account theft, corporate espionage, ad fraud, and cryptocurrency theft, and high-profile incidents keep coming.
Part of what makes them so useful to attackers is the level of access extensions are granted inside SaaS applications and websites. The other part is how easily they slip through standard security controls. Because they aren’t standalone applications, most security policies and tools simply don’t account for them the way they should.
Dealing with this properly requires a systematic approach, a combination of policy management, monitoring, and dedicated extension analysis tools.
What Browser Extensions Can Actually Do
A browser extension has broad access to whatever a user can access through their browser. That means it can read and modify data inside any web application, financial records, medical information, anything. Beyond what’s visible on screen, extensions frequently gain access to cookies, local storage, and proxy settings, which makes session hijacking considerably easier. Some extensions go further still, reaching the user’s location data, downloads, clipboard contents, desktop screen capture, and browser notifications.
Browser makers have introduced updates over the years aimed at reducing what extensions can do behind the scenes. Some of these changes have made certain attack techniques harder to execute. But attackers adapt, they rework their approach to stay effective within whatever boundaries exist, and the core threat remains largely intact.
The more fundamental issue is that none of this changes where extensions come from. They’re distributed through official stores on legitimate domains. Their network activity looks like normal browser traffic. That makes it genuinely difficult to separate what an extension is doing from what the user is doing.
How Malicious Extensions End Up on Machines
There are several well-documented patterns. A legitimate, well-regarded extension changes hands, and the new owner quietly introduces malicious code into subsequent updates. Users who trusted the original developer have no reason to suspect anything has changed. In other cases, attackers gain access to a developer’s account and push a compromised update to an existing user base. The extension itself hasn’t changed ownership, but the update carries a hidden payload.
Some extensions are malicious from the start. They present themselves as useful tools and rely on users not looking too closely. A more patient version of this involves publishing a clean, functional extension first, letting it build a genuine user base, and then introducing malicious code later.
There are also targeted scenarios where phishing pages or messages push victims toward installing an extension that isn’t publicly listed in any store at all. Across all of these, automatic updates are what make the problem scale so quickly. Once an extension is installed, any update it receives goes through silently and without user action. An extension that was clean yesterday can be pulling data today, and users won’t notice a thing.
Organisational Defenses Against Malicious Extensions
Addressing this properly means working across policy, technical controls, and ongoing monitoring. Not just ticking one box.
- Policy first. The organisation needs a formal position on browser extensions: which ones are permitted, who approves them, and what the process looks like for requesting a new one. Extensions not on the approved list shouldn’t be installable.
- Control what browsers are even in use. The official approved browser needs to be enforced as the only option. Portable browser installations and third-party AI-powered browsers should be blocked. Local administrator privileges should be limited to IT staff and roles that specifically require them.
- Manage updates deliberately. Automatic updates for extensions should not roll out to the entire organisation without review. IT and security teams should test new versions of approved extensions before they’re deployed, so that permission changes or behavioural shifts get caught before they reach users.
- Layer your defences. An EDR agent on every corporate device handles blocking unauthorised browsers, flagging visits to phishing sites, and stopping malware downloads. DNS monitoring and firewall-level inspection of browser traffic adds a layer for catching unusual outbound connections and other anomalies in real time.
- Monitor continuously. EDR and SIEM tools should be collecting browser state data from employee workstations, this includes: installed extensions, their versions, and their manifest files. This makes it straightforward to detect when a new extension appears, when an existing one updates, or when a version change brings new permissions.
Vetting Extensions
All of this depends on having an internal list of approved and prohibited extensions, which means the security team has to build an actual assessment process. Browser stores don’t offer the tools needed to evaluate risk at an organisational level, and that work doesn’t happen automatically.
Beyond tooling and process, browser extension risks should be part of security awareness training, employees don’t always realise what they’re granting access to when they install something from a store. Building that awareness reduces the likelihood of people circumventing controls or installing something outside of official channels without thinking twice about it.