Browser extensions

what it is

Browser extensions are small software programs that run inside a web browser and can modify how the browser behaves or what it shows. They are available through browser extension stores (Chrome Web Store, Firefox Add-ons, Edge Add-ons) and installed by individual users or pushed to managed devices by IT.

In the context of SaaS security, the concern is the access permissions that extensions request. A browser extension granted "Read and change all your data on all websites" can read everything a user sees in their browser: web application content, form input, documents opened in the browser, search queries, and content from internal web tools.

Common enterprise-facing extensions include spelling and grammar checkers, password managers, productivity tools, screen capture utilities, email assistants, and AI writing assistants. Each requests permissions that, in the wrong hands or from an unvetted vendor, create a significant data exposure surface.

why it accumulates

Browser extensions fall into a gap in most access governance processes.

They are not SaaS applications in the traditional sense. They do not appear in OAuth grant lists. They do not show up in identity provider admin consoles. They are not purchased through a procurement process. They are installed directly in the browser by the individual user and, in most environments, require no IT involvement.

Because they are invisible to standard SaaS management tools, they also fall outside standard review processes. Organizations with strong OAuth governance and regular access reviews may still have no visibility into which extensions are running on managed devices.

Extension risk can also change after installation. A reputable extension acquired by a different company may update its data practices. A popular extension can be compromised and start exfiltrating data. The organization has no mechanism to detect this unless it actively monitors extension installations.

what it costs you

Data exfiltration path. An extension with broad page access permissions can read and transmit internal document content, customer data displayed in web applications, credentials entered into forms, and communications in web-based messaging tools. A user installing an extension whose vendor has different interests from yours is enough to open this path.

AI data flow exposure. A class of AI writing assistants, grammar tools, and productivity extensions operate by sending page content to external AI models for processing. The user sees a helpful suggestion. In the background, the content of internal documents, customer communications, or financial data is transmitted to an external service. The organization has no visibility into what was sent or where it went.

Managed device policy violations. Most IT security policies require that software installed on company devices is approved. Extensions installed individually by employees may violate this policy without either party realizing it, creating a compliance gap in regulated environments.

Compromised extension supply chain. Browser extension stores have seen multiple incidents where legitimate, widely-used extensions were acquired by malicious actors and used to exfiltrate data from their established user base. An extension that was safe when installed may not be safe now.

what works

Visibility starts at the endpoint, because that is the only layer where extensions fully exist. Devices managed through Mobile Device Management or endpoint management platforms such as Jamf, Intune, or the Google Admin console can report every installed browser extension across the fleet. Identity-layer tooling, by contrast, sees an extension only when it holds an OAuth grant into the directory, which most do not. The endpoint report is therefore the inventory, and the OAuth grant list is a supplement that catches the subset reaching workspace data directly.

The review that follows is a permissions review more than a vendor review. Extensions requesting broad page access, those that read or change data on all websites, and those that can modify browsing data deserve attention first, with each checked for whether the permission scope matches the stated function. A spelling checker plausibly needs to read text fields; it does not need every site the browser visits. Categories associated with external data transmission, AI writing tools, screen capture, analytics, warrant the closest look because their core function involves sending content somewhere else.

An approved extension list, enforced through MDM policy on managed devices, converts that review into a standing control: installations outside the list are blocked or flagged rather than discovered later. Unmanaged devices used by remote workers and contractors fall outside policy enforcement, which is where a clear acceptable use policy, naming permitted and prohibited extension categories and reinforced in security awareness training, carries the load instead.

Approval is also not permanent. Extensions update frequently, permissions change between versions, and vendors change ownership; the documented store incidents where popular extensions were acquired and turned against their user base all involved software that was safe when installed. An approved extension earns a re-review whenever its permissions or ownership change, and the whole list earns one at least annually.