Every day, employees install browser extensions - tools that are supposed to make work easier. In reality, some of them may have access to everything happening in the browser and send it to a server on the other side of the world. Without any visible signal.
What extensions are and why they are so powerful
Extensions are small programs installed inside a browser that extend its functionality. They operate exactly where you log in to your bank, corporate email, CRM, or HR system. When you install an extension and click "Allow access to all sites," you give it insight into virtually everything happening in the browser: every page visited, every form field, every password entered.
What a malicious extension can do
- 1
Session hijacking. When you log in to a website, the browser saves a session token - a confirmation that you are logged in. An extension can steal this token and send it to an attacker. The attacker doesn't need your password - the token alone is enough to log in to your account from a different computer. Even two-factor authentication won't help in such a scenario, because the session is already active.
- 2
Form interception. An extension can record everything you type - logins, passwords, payment card numbers. This happens silently, in the background, with no visible indication.
- 3
Redirects. An extension can display a fake copy of a website instead of the real one. You click a link to a Zoom meeting, you land on a page with a "critical update" notice, you download it - and install more malware.
- 4
Activity tracking. Every URL you visit can be sent to an external server. In a corporate environment, this means that someone from outside can see which systems your company uses.
The official store is not a guarantee
You might think that installing extensions only from the official Chrome Web Store is enough. Unfortunately, reality is more alarming.
In July 2025, researchers detected a campaign based on 18 extensions available in the official Chrome and Edge stores - with a total of more than 2.3 million installations. The extensions had good ratings, verification badges, and were featured by the store. They worked normally for a long time - then received malicious code through an update. This phenomenon has a name: sleeper agents - dormant extensions that build a user base for months and then begin malicious activity.
In February 2026, another group of malicious Chrome extensions was detected, impersonating business tools such as Workday and NetSuite, collecting corporate data, emails, and browsing history.
Why this is especially dangerous in a company
An employee installing an extension on a company computer puts not only their own account at risk - they put the entire corporate environment at risk. Their session to CRM, email, project tools, and the admin panel can be hijacked simultaneously.
Many extensions also request permissions far broader than they need. An extension for changing the browser theme does not need access to form content. When an employee decides on granting permissions themselves - they usually click "Allow" because they do not understand what they are accepting.
Solution: an allowlist of extensions
This is not a problem solved by telling employees "be careful." The right approach is managing extensions at the organizational level - defining which extensions are allowed and technically blocking the ability to install others.
The IT administrator defines an allowlist of extensions, verified for security and genuinely needed for work. Everything outside this list is blocked - not because employees are irresponsible, but because without centralized control the company is unable to assess what is installed on its devices. There are tools, such as Microsoft Intune, that make it possible to implement such a policy centrally across all computers at once.
For most companies, the list of allowed extensions is very short: a password manager and possibly tools specific to a given profession. Everything else is potential risk.
How this looks at Helpwise
Lack of a browser extension management policy is one of the most common oversights we detect during IT audits conducted when taking over support for a new client. Extension management is part of a broader endpoint security approach that we implement for our clients. We define an allowed extension policy and implement it centrally - so that no employee can install anything outside the approved list.