How Secure Are Chrome, Edge Browser Extensions? Best Practices For Use
Cybersecurity | Information Security
If you’re like most of us, you’ve downloaded the perfect browser extensions to make your job easier, whether that’s time-saving keyboard short-cuts or improved functionality and extra features beyond what come standard with your web browser.
But what would happen if in doing so, you introduce malware to spy on your company’s devices and track your employees’ browser history?
Well, that’s just what happened to millions of people who were caught up in this malicious browser extension cyberattack.
Browser extensions, also commonly known as add-ons or plug-ins, allow individual employees to check their grammar, compare product prices, protect passwords, control email flow, automate scheduling, translate text, get weather forecasts, add emojis, and record video, and many other functions for a customized browser user experience.
They have become so embedded in today’s workplace environments that they’re now considered to be indispensable tools that help millions of people do their jobs more quickly and easily.
In fact, 99 percent of employees are running browser extensions, according to a newly released Enterprise Browser Extension Security Report 2025 by browser security firm LayerX.
Despite their widespread use, web browser add-ons can also potentially expose your organization’s sensitive personal information and proprietary business data to cybercriminals looking to exploit such information for financial gain.
In this article, we’ll explain how bad actors were able to carry out the most recent browser extension attack. We’ll also explore some of the advantages of browser extensions and detail best practices to protect your business against the security risks they present.
With this information, your team will be able to continue enjoying the benefits of browser add-ons, while having the information needed to spot the red flags and keep your business and data safe.
Why Do People Use Browser Extensions In The Workplace?
Browser extensions have exploded in popularity. Workers have come to rely on them to streamline workflows, boost productivity, manage internal and external communication, simplify repetitive tasks—and much more.
In fact, there are currently more than 100,000 browser add-ons, with Google Chrome being the post popular web browser. They range from IT security tools to simple keyboard shortcuts, and everything in between.
Some popular browser extensions include:
- AdBlock Plus and uBlock Origin: Examples of free, open source browser extensions that filter content to prevent advertisements—including pop-ups, videos, and banner ads—from displaying automatically when browsing a particular website
- Dark Reader: Automatically darkens the background color and changes the text color to provide eye comfort when visiting websites
- LastPass: A password management extension that stores and safeguards all your passwords and login credentials in one place
- Todoist: A scheduling assistant that organizes your schedule and lets you keep track of your current and upcoming tasks, providing reminders before each deadline
- Grammerly and LanguageTool: Two popular editing tools that correct grammar, spelling, and punctuation errors and help improve the readability and flow of your writing
- Previous Tab: A keyboard shortcut browser extension (Ctrl-Q) that lets users easily switch back and forth between the last two most recently opened tabs.
What Are The Dangers Of Downloading Browser Add-ons?
While they can make tasks easier and faster to complete, browser extensions also come with significant risks.
Related Article: 8 Hidden Cyber Risks That Might Be Lurking Within Your IT Environment
In the latest browser hijacking campaign, millions of Google Chrome and Microsoft Edge users were fooled by a malicious dupe of a legitimate Chrome color picking tool.
The add-on is used to simplify matching and selecting a color from an image and applying it to a design to create a uniform color scheme.
The tool, called “Color Picker, Eyedropper — Geco colorpick” even displayed Google’s verified badge to further increase believability. In addition, it was prominently featured in the Chrome Web Store, thanks to its high user rating.
Following the malicious extension update on June 27, the fake add-on was downloaded more than 100,000 times. Researchers later discovered that 18 add-ons were corrupted, including extensions for VPNs, Youtube unblockers, weather forecasts, and more.
In all, an estimated 2.3 million end users across Chrome and Edge were impacted, according to published reports.
Users were none the wiser about the deception because the tool functioned as usual.
This is not the first time this type of cyber incident has happened. In a similar supply chain cyberattack earlier this year, about 2.6 million users worldwide were affected.
In that attack, which targeted 33 Chrome extensions, threat actors launched a large-scale phishing campaign in which they sent out fake emails pretending to be from Google’s Chrome Web store.
Instead, the phishing emails contained malicious links to have users be unknowingly redirected to sites controlled by the attackers who then stole their credentials.
Related Article: How Token Theft Bypasses MFA & How Conditional Access Can Reduce Risk
Although browser extension security has been an ongoing concern, those security risks are amplified because of the more sophisticated tools being used by cybercriminals. Attackers often use complex trojan horses that masquerade as authentic browser extensions and morph into malware that can infect your systems.
Such stealth attacks can allow threat actors to track your online activity, compromise your data, steal session tokens and cookies to hijack user sessions, and launch malicious code to further the attack through ransomware, spyware, or other backdoor methods.
Of the millions of users running browser extensions, over half (52 percent) are using more than 10 add-ons, according to the LayerX report findings.
In addition, the report found that 53 percent of the add-ons that were running in enterprise environments were granted “high” or “critical risk” access permissions.
Browser add-ons can expose user information such as cookies, passwords, and browsing history. Since Chrome automatically updates browser extensions in the background, such broad access could potentially leave your business vulnerable.
Once attackers gain unauthorized access to your systems, this can create an opening for them to launch future attacks by redirecting other web searches to fake sites.
Keep in mind, however, that Google and Edge aren’t alone in such attacks. Mozilla Firefox, open source web browser Chromium, and even content management sites such as WordPress have all been affected, among others.
What Are Ways Businesses Can Reduce Browser Add-on Risks?
Attackers have sharpened their skills in being able to exploit security weaknesses—including human trust—by secretly injecting malicious code into what were previously safe (whitelisted) browser extensions.
In this way, once popular and approved browser add-ons can be corrupted, giving threat actors a chance to infiltrate your systems and steal or compromise your data.
This means that implicit trust is no longer an option.
To help safeguard your proprietary business data and the sensitive personal information of your employees, customers, and partners, here are some effective security measures:
1. Adopt a Zero Trust architecture (ZTA)
- Zero Trust assumes that a breach is about to happen, so it follows the principle that no one and nothing is to be trusted automatically.
- ZTA requires the implementation of robust security controls for user authentication and verification to minimize the chances of a cyber incident or data breach.
Related Article: Why Are Businesses Moving To Zero Trust? Your Roadmap To A ZT Strategy
- ZTA controls include a variety of advanced tools and systems, including least privilege access, endpoint detection, network monitoring and microsegmentation, strong data encryption, and incident response, among others.
- Even if you don’t adopt a formal ZT framework, many of the security controls found within it are requirements of federal, state, and industry cybersecurity and privacy regulations and guidelines.
2. Provide employee cybersecurity awareness training
- Develop a cybersecurity culture within your organization to allow employees to take ownership of helping to protect your business.
- Educate employees on your cybersecurity policies and procedures so they know how to safeguard your data and systems to maintain a strong security posture and remain in compliance with any regulatory or industry requirements.
- Train employees to check that the publishers of a particular extension are verified.
- Ensure that you provide regular employee cybersecurity awareness training that includes modules with real-world simulations so your team is informed about the latest tactics and threats.
3. Perform regular testing and scheduled updates
- Ensure that your systems are up-to-date with the latest critical security patches and software updates to protect them against new and emerging vulnerabilities.
- Conduct ongoing penetration tests to regularly check the effectiveness of your security defenses and vulnerability scans to identify hidden security flaws.
The Bottom Line: Browser Extension Security
After reading this article, you now understand how web browser extensions can be a double-edged sword.
While they provide many conveniences, streamline functionality, and boost productivity, they also carry increasingly significant security risks to your business.
We write articles like this to help small and medium-sized businesses like yours get useful technology-related information to help them make the best IT decisions for their organizations.
Do you know what your current security posture is? Use our cybersecurity checklist to:
✔️Understand where your organization's cybersecurity policy needs improving
✔️Learn actions you can take to keep your organization's data secure
✔️Help ensure your organization follows the latest cybersecurity best practices
