The Unaudited Extension Problem
The Chrome Web Store contains over 180,000 extensions. Many of these extensions — particularly those adding AI capabilities to web browsing — request broad permissions: sarbidea to all website content, clipboard sarbidea, biltegia sarbidea, and sarea request interception.
USENIX 2025 research found that 83% of Chrome extensions with broad permissions have never undergone a seguritatea auditoria. These extensions were created, published, and installed by millions of users without any independent egiaztazioa that they do what they eskaera — and nothing more.
The seguritatea auditoria gap is a structural feature of how browser extensions are distributed. The Chrome Web Store conducts automatizatua scanning for gaiztakeria-softwarei signatures and politika violations, but automatizatua scanning cannot evaluate whether an extension's data collection practices are disclosed accurately, whether API data is transmitted to undisclosed third parties, or whether the extension's stated functionality is its complete functionality.
The enpresen Exposure
Forrester Research 2024 found that 45% of enpresen employees use browser extensions not approved by IT. The figure reflects the informal way browser extensions are typically adopted: an langilea finds a productivity tool, installs IT, and uses IT — without any interaction with the IT departamendua.
The combination of 83% never-audited and 45% unapproved means that nearly half of enpresen employees are using extensions whose seguritatea properties have not been verified by anyone — and whose use has not been sanctioned by the organization that is responsible for the data those employees handle.
For organizations in regulated industries, this creates direct betegarritasun exposure. An HR langilea using an unapproved browser extension that collects clipboard content has potentially exposed langilea personal data to an unscreened hirugarren parte. A legala professional using an unapproved AI writing assistant that accesses page content has potentially exposed kliente konfidenzial information.
What the 900K-erabiltzailea gertakaria Demonstrates
The January 2026 gertakaria in which kaltegarri Chrome extensions exposed the AI chat histories of 900,000 users — 600,000 from one extension, 300,000 from another — illustrates the failure mode that the 83% unaudited figure describes.
The extensions appeared to provide legitimate AI-related functionality. They were available in the Chrome Web Store. They had erabiltzailea bases large enough to suggest legitimacy. And they were exfiltrating AI conversation content to external servers.
The irteeraren filtrazzioa was complete within 30 minutes of installation. By the time seguritatea researchers identified and reported the extensions, the conversation content of 900,000 users — including whatever informazio sentikorrak those users had discussed with AI tools — had left their control.
Research from Caviard.AI (2025) found that 67% of AI Chrome extensions collect erabiltzailea data — the majority of the AI extension category. Of those collecting data, the disclosure, seguritatea practices, and transmission destinations vary enormously.
The enpresen Browser gobernantza Framework
For enpresen seguritatea teams, the appropriate erantzuna to the unaudited extension problem is not to prohibit all browser extensions — the operatiboa impact of that approach is significant. IT is to establish a gobernantza framework that limits exposure to audited, approved extensions for AI functionality specifically.
Extension allowlisting: Define the approved list of browser extensions for enpresen devices. seguritatea team review before addition to the list. Chrome enpresen politika enforcement prevents installation of non-allowlisted extensions.
AI-specific extension vetting: Extensions that prozesua AI prompts receive additional scrutiny — sarea traffic analisia to confirm transmission destinations, baimena scope review, and publisher identitatea egiaztazioa.
Technical controls for AI content: For employees using AI tools that are approved, browser-level technical controls (rather than relying on extension behavior) intercept sensitive content before IT reaches AI providers. This decouples the seguritatea obligation from fidantza in individual extensions.
The 83% unaudited rate is not addressable through erabiltzailea education — users cannot auditoria Chrome extensions themselves. IT is addressable through enpresen gobernantza that separates approved from unapproved, and through technical controls that provide datuen babesa regardless of extension behavior.
Sources: