Browser Extensions: Your Hidden Enterprise Risk

Browser extensions are everywhere. From spell checkers to advanced Generative AI tools, they streamline your daily tasks. Yet, these seemingly innocuous additions often possess extensive permissions, creating a significant and often overlooked security vulnerability for your organization. As a SOC analyst, I see this threat growing. It is time to address it head on.

The Enterprise Browser Extension Threat Landscape

The Enterprise Browser Extension Security Report 2025 by LayerX sheds critical light on the true scope of this problem. It combines public marketplace data with real-world enterprise usage telemetry, revealing a concerning picture.

Ubiquity and Data Access Risk

Browser extensions are deeply embedded in enterprise environments. This ubiquity, combined with broad data access, creates a fertile ground for compromise.

• Prevalence: Virtually every employee, 99% of them, uses browser extensions.
• Density: Over half of employees, 52%, have more than ten extensions installed.
• Risk Exposure: This means nearly all your employees face browser extension risk.
• Sensitive Data Access: A significant portion of extensions, 53% used by enterprise users, can access sensitive data. This includes cookies, passwords, web page contents, and browsing information.
• Security Implication: A single employee-level compromise, stemming from these permissions, can jeopardize your entire organization.

Publisher and Maintenance Concerns

Tracking and trusting extensions is a major challenge for IT and security teams. Several factors contribute to this difficulty.

• Unknown Publishers: More than half of extension publishers, 54%, are unknown. Their only identification is often a Gmail address.
• Singular Publishers: A large majority of publishers, 79%, have released only one extension.
• Security Implication: Assessing the reputability of these extensions is difficult, if not impossible, using standard IT resources.
• Maintenance Issues: Unmaintained browser extensions pose a significant and growing concern. 51% of extensions have not received an update in over a year.
• Sideloading Risk: A notable percentage, 26%, of enterprise extensions are sideloaded. This means they bypass even the basic vetting processes of official extension stores.
• Security Implication: An extension can become vulnerable even if it was initially benign.

Generative AI Extension Threat

Generative AI, or GenAI, extensions represent a rapidly emerging threat surface. Their adoption is swift, and their potential for risk is high.

• Adoption: Over 20% of users have installed at least one GenAI extension.
• High-Risk Permissions: Most of these GenAI extensions, 58%, come with high-risk permission scopes.
• Security Implication: Your enterprise must define clear policies for GenAI extension use and data sharing to mitigate risks.

Case File: The 2025 Malicious Extension Campaign

In a high-profile security incident from July 2025, researchers uncovered a campaign involving 18 malicious browser extensions. These were found in both the official Chrome and Microsoft Edge web stores. This campaign highlights the deceptive tactics threat actors employ.

Attack Scope and Deception

The scale of this attack was considerable, leveraging trust in official stores.

• Infection Count: These 18 extensions collectively infected over 2.3 million users.
• Chrome Web Store: 1.7 million installs originated from the Chrome Web Store.
• Microsoft Edge Store: 600,000 downloads came from the official Microsoft Edge store.
• Advertised Functionality: The malicious add-ons mimicked legitimate tools. They posed as color pickers, VPNs, volume boosters, and emoji keyboards.
• Trust Indicators: Many malicious extensions were verified, featured prominently, and had hundreds of positive reviews. This misled users about their safety.
• Pre-Flagging: One extension, ‘Volume Max — Ultimate Sound Booster,’ had been flagged by LayerX researchers for potential spying, even before its confirmed malicious activity.

Sleeper Agent Mechanism

The attackers used a clever tactic: the malicious code was not present in the initial versions. It was introduced later via updates. These are often called “sleeper agents.”

• Silent Deployment: Google’s auto-update system silently deployed the new, malicious versions to users. This required no user approval or interaction.
• Hypothesized Source: Some extensions were safe for years. Researchers suggest external actors potentially hijacked or compromised them, then introduced the malicious code.
• Malicious Function: The malicious functionality resided in the background service worker. It used the Chrome Extensions API to register a listener. This listener triggered every time a user navigated to a new webpage.

Data Exfiltration and Hijacking Tactics

Upon visiting a new webpage, the malicious extension would perform several critical steps, demonstrating its data exfiltration and hijacking capabilities.

1. It captured the URL of the visited page.
2. This URL information, along with a unique tracking ID for the user, was exfiltrated to a remote server. This is a Command and Control, or C&C, server.
3. The C&C server could respond with redirection URLs. This allowed it to hijack the user’s browsing activity.
4. This capability presents a direct cyberattack vector. The server could send users to unsafe destinations. These destinations could enable further cyberattacks.

For example, this mechanism could intercept a Zoom meeting invitation link click. It could then redirect you to a convincing fake page demanding a “critical Zoom update.” This ultimately leads to additional malware installation and potential full device compromise. This is why vigilance is crucial.

Identified Malicious Extensions and C&C Domains

Researchers at Koi Security discovered and reported these extensions. Google removed all identified extensions from the Chrome Web Store by July 10. Your awareness of these specific identifiers is important for detection and remediation.

Malicious Chrome Extensions Identified:

• Color Picker, Eyedropper — Geco colorpick (ID: eokjikchkppnkdipbiggnmlkahcdkikp)
• Emoji keyboard online — copy&paste your emoji (ID: kgmeffmlnkfnjpgmdndccklfigfhajen)
• Free Weather Forecast (IDs: dpdibkjjgbaadnnjhkmmnenkmbnhfobj and gaiceihehajjahakcglkhmdbbdclbnlf)
• Video Speed Controller — Video manager (Note: This is distinct from the legitimate “Video Speed Controller” with 3 million users.)
• Unlock Discord — VPN Proxy to Unblock Discord Anywhere (ID: mlgbkfnjdmaoldgagamcnommbbnhfnhf)
• Dark Theme — Dark Reader for Chrome (ID: eckokfcjbjbgjifpcbdmengnabecdakp) (Note: This is not the legitimate “Dark Reader” app.)
• Volume Max — Ultimate Sound Booster (ID: mgbhdehiapbjamfgekfpebmhmnmcmemg)
• Unblock TikTok — Seamless Access with One-Click Proxy (ID: cbajickflblmpjodnjoldpiicfmecmif)
• Unlock YouTube VPN (ID: pdbfcnhlobhoahcamoefbfodpmklgmjm)
• Weather (ID: ihbiedpeaicgipncdnnkikeehnjiddck)

Malicious Edge Extensions Identified:

• Unlock TikTok (ID: jjdajogomggcjifnjgkpghcijgkbcjdi)
• Volume Booster (ID: mmcnmppeeghenglmidpmjkaiamcacmgm)
• Web Sound Equalizer (ID: ojdkklpgpacpicaobnhankbalkkgaafp)
• Header Value (ID: lodeighbngipjjedfelnboplhgediclp)
• Flash Player (ID: hkjagicdaogfgdifaklcgajmgefjllmd)
• Youtube Unblocked (ID: gflkbgebojohihfnnplhbdakoipdbpdm)
• SearchGPT (ID: kpilmncnoafddjpnbhepaiilgkdcieaf)
• Unlock Discord (ID: caibdnkmpnjhjdfnomfhijhmebigcelo)

Malicious Command and Control (C&C) Domains:

The domains used in this campaign include:

• admitab[.]com
• edmitab[.]com
• click.videocontrolls[.]com
• c.undiscord[.]com
• click.darktheme[.]net
• c.jermikro[.]com
• c.untwitter[.]com
• c.unyoutube[.]net
• admitclick[.]net
• addmitad[.]com
• admiitad[.]com
• abmitab[.]com
• admitlink[.]net

Proactive Defense: Organizational Strategies

LayerX’s 2025 report offers clear, actionable guidance for security and IT teams. Implement these five recommendations to build a defensible browser environment for your organization.

1. Audit all extensions: You must first understand your threat surface. Obtain a full picture of every extension currently in use by your employees.
2. Categorize extensions: Organize extensions based on factors like broad user base, such as GenAI extensions, or granted permissions. This helps assess your overall browser extension security posture.
3. Enumerate extension permissions: List the exact information each extension can access. This further helps map your attack surface and allows for precise policy configuration.
4. Assess extension risk: Conduct a holistic risk management assessment for each extension. Base this on its permissions and accessible information. Incorporate external factors such as publisher, reputation, popularity, and installation method, for example sideloaded versus store-installed. This creates a unified risk score.
5. Apply adaptive, risk-based enforcement: Use your analysis to apply enforcement policies. Tailor these to your organization’s specific needs, uses, and risk profile.

Immediate Response: User Remediation Steps

If you or your users discover any of the malicious extensions, immediate action is necessary. These steps are crucial for mitigating potential compromise.

• Removal: Remove all listed extensions without delay.
• Data Clearing: Clear all browsing data. This includes cookies, history, cached files, and site data. This purges any tracking identifiers or stolen session tokens set by the extension. Note: You will need to log back into many sites.
• Account Monitoring: Monitor all your accounts for suspicious activity. Pay particular attention if sensitive sites, such as online banking, were accessed while the extension was active.
• Password Update: Change passwords for any sensitive accounts potentially compromised.
• Enable 2FA: Activate two-factor authentication, 2FA, wherever possible.
• Browser Reset: Reset your browser settings to default. This undoes any changes the extension may have made to your homepage or search engine.
• System Check: Run a full system malware scan. Tools like Malwarebytes can check for additional infections.
• Updates: Ensure your browser and all remaining extensions are up to date.

Always examine new permissions requested by an extension during an update. Confirm they are necessary for the extension’s stated function. While official web stores offer some vetting, this recent campaign demonstrates that even they are not a guarantee of safety.

Your Next Steps for a Secure Browser

Browser extensions enhance productivity, but they also introduce significant risk. You must actively manage this risk. By understanding the threats and implementing robust proactive and reactive measures, you can protect your organization from browser extension-based attacks. Take control of your browser security today.

References

• LayerX: Enterprise Browser Extension Security Report 2025
• Koi Security: Malicious Extension Campaign Findings
• Google Chrome Web Store Security Advisories
• Microsoft Edge Add-ons Security Announcements

“`