Everybody knows browser extensions are embedded into nearly every user’s daily workflow, from spell checkers to GenAI tools. What most IT and security people don’t know is that browser extensions’ excessive permissions are a growing risk to organizations.
LayerX today announced the release of the Enterprise Browser Extension Security Report 2025, This report is the first and only report to merge public extension marketplace statistics with real-world enterprise usage telemetry. By doing so, it sheds light on one of the most underestimated threat surfaces in modern cybersecurity: browser extensions.
The report reveals several findings that IT and security leaders will find interesting, as they build their plans for H2 2025. This includes information and analysis on how many extensions have risky permissions, which kinds of permissions are given, if extension developers are to be trusted, and more. Below, we bring key statistics from the report.
Highlights from the Enterprise Browser Extension Security Report 2025
1. Browser extensions are ubiquitous in enterprise environments. 99%, nearly all, of employees, have browser extensions installed. 52% have more than 10 extensions installed.
Security analysis: Nearly all employees are exposed to browser extension risk.
2. Most extensions can access critical data. 53% of enterprise users’ extensions can access sensitive data like cookies, passwords, web page contents, browsing information, and more.
Security analysis: An employee-level compromise could jeopardize the entire organization.
3. Who publishes these extensions? Who knows? More than half (54%) of extension publishers are unknown and only identified via Gmail. 79% of publishers only published one extension.
Security analysis: Tracking the reputability of extensions is difficult, if possible at all with IT resources.
4. GenAI extensions are a growing threat. Over 20% of users have at least one GenAI extension, and 58% of these have high-risk permission scopes.
Security analysis: Enterprises should define clear policies for GenAI extension use and data sharing.
5. Unmaintained and unknown browser extensions are a growing concern. 51% of extensions haven’t been updated in over a year, and 26% of enterprise extensions are sideloaded, bypassing even basic store vetting.
Security analysis: Extensions can be vulnerable even if they’re not purposefully malicious.
5 Recommendations for Security and IT
The report not only brings data, it also provides actionable guidance for security and IT teams, recommending how to deal with the browser extension threat.
Here’s what LayerX advises organizations:
- Audit all extensions – A full picture of extensions is the foundation for understanding the threat surface. Therefore, the first step in securing against malicious browser extensions is to audit all extensions in use by employees.
- Categorize extensions – Certain types of extensions that make them appealing to attack. This can be due to their broad user base (such as GenAI extensions) or because of the permissions granted to such extensions. Categorizing extensions can help assess the browser extension security posture.
- Enumerate extension permissions – The next step is to list the information extensions can access. This helps further map the attack surface and configure policies later on.
- Assess extension risk – Now it’s time for risk management. This means assessing the risk for each extension based on their permissions and the information they can access. In addition, a holistic risk assessment includes external parameters such as reputation, popularity, publisher, and installation method. Together, these parameters should be combined into a unified risk score.
- Apply adaptive, risk-based enforcement – Finally, organizations can use their analysis to apply adaptive, risk-based enforcement policies tailored to their uses, needs, and risk profile.
Access the Report
Browser extensions are not just a productivity tool, they’re an attack vector most organizations do not know exists. LayerX’s 2025 report provides comprehensive findings and data-driven analysis to help CISOs and security teams rein in this risk and build defensible browser environments.
About The Author
Original post here
