Web Browser extensions are very helpful as they add valuable functionality without a significant acquisition process (think exploring and vetting a new web SAAS app for your business). Browser plugins can be a neat, quick and simple solution to an employee’s productivity problem. But also, web browser extensions are some of the least scrutinized pieces of software in most organizations. They install in seconds, run with surprisingly broad permissions inside your browser, and arrive through official stores like the Chrome Web Store, which gives most people a false sense of security that someone somewhere vetted the cybersecurity aspect of the browser plugin. The reality is that publishing a browser extension requires almost no vetting, which means a motivated attacker can ship something that does exactly what it advertises on the surface while quietly doing something far more damaging underneath.
This is an example of what we call the trust gap, and it’s part of your security posture that most organizations haven’t fully thought through. Last week, we spoke about long term employees as part of the trust gap.
Since these extensions have access to almost every part of your browser’s functionality, they can harvest two-factor authentication codes, contact lists, and active session tokens from the browser, sending all of it to attacker-controlled servers in the background without triggering a single alert in your security stack. No credentials are stolen, no MFA prompts are triggered, and from your authentication system’s perspective, everything looks completely normal because the attacker can pick up a valid session token and log in exactly the way the victim would.
Most security strategies are built around protecting the login event with strong passwords, MFA, and conditional access policies, all of which matter and none of which help once a valid session is already running. After authentication succeeds and a token is issued, the question stops being “did you prove who you are?” and becomes “is anyone actually watching what you’re doing with that access?” In most small and mid-sized organizations, the honest answer is no.
Session token hijacking isn’t a new technique, but browser extensions have made it dramatically more accessible to attackers who don’t want to trigger the defenses you’ve spent money building. According to LayerX Security’s 2025 Enterprise Browser Extension Security Report, 99% of enterprise users have at least one extension installed in their browser, and 53% have installed extensions with high or critical permission scopes that can access cookies, passwords, and browsing data. The extensions doing the most damage rarely look dangerous because they’re designed to look useful, which is why these browser extensions aren’t really a technical exploit so much as social engineering tools that could also happen to run malicious code while your employee thinks they’re being productive.
Identity controls without identity monitoring are only half of a security program, and the gap between those two things is exactly where attackers are focusing their energy right now. Knowing that someone authenticated successfully at 9 a.m. tells you they had the right credentials at that moment, but it tells you nothing about whether the session running at 9:15 belongs to the same person or to someone sitting at a command-and-control server halfway around the world. Watching for anomalous session behavior, unusual access patterns, and lateral movement after authentication is where real protection lives, and it’s the layer most organizations skip because it feels like an enterprise-level problem that doesn’t apply to them.
The real question isn’t whether your employees are installing browser extensions right now. It’s whether anyone on your team would know the difference between a useful one and a malicious one.
Want to explore cybersecurity options by TorchLight Secured & Managed IT? Click here to learn more.