anonym.legal

By · Last updated 2026-03-30

返回博客人工智能安全

83% 的 AI 扩展程序从未经过安全审计

USENIX 2025 研究显示,83% 拥有广泛权限的 Chrome 扩展程序从未经过安全审计;45% 的企业员工在使用未经 IT 审批的扩展程序。

March 30, 20268 分钟阅读
Chrome extension security auditenterprise browser governanceAI extension riskunaudited extensionsDLP browser

2026 年更新

大多数 AI 扩展程序从未经过审计

Chrome 网上应用店目前收录了超过 180,000 个浏览器扩展程序。其中许多——尤其是 AI 工具——申请了极为宽泛的访问权限:可以读取您访问的每一个页面、查看剪贴板内容,甚至拦截或修改网络请求。

USENIX Security 2025 研究发现,83% 拥有广泛权限的 Chrome 扩展程序从未经过任何安全审计。这些工具由开发者发布,用户数以百万计,却始终无人核实它们是否只做了宣称的事情。

这一漏洞具有结构性根源。Chrome 网上应用店会扫描已知恶意软件、核查政策合规性,但无法确认数据收集行为是否得到完整披露,也无法检测数据是否流向了隐蔽的第三方。

近半数企业员工在使用未经审批的工具

LayerX 2025 年企业浏览器安全报告显示,45% 的企业员工在使用从未经 IT 部门审批的浏览器扩展程序。这一现象极为普遍:员工发现一款实用工具,自行安装,IT 部门始终不知情。

将 83% 未审计与 45% 未审批叠加来看,企业中近半数员工可能正在使用安全性从未得到核实的工具,而这些员工每天都在处理公司的敏感数据。

对于受监管行业而言,风险更为直接。一名 HR 员工若在使用读取剪贴板的未审核工具,可能已将个人数据发送给了不知名的第三方;一名律师若在使用未审核的 AI 写作工具,可能已将客户数据泄露给了未知方。请参阅我们的合规指引,了解这些风险如何对应 GDPR、HIPAA 及相关框架的要求。

90 万用户事件揭示的问题

2026 年初发生的一起事件清晰展示了这一失败模式。恶意 Chrome 扩展程序导致约 90 万用户的 AI 聊天记录遭到泄露:其中约 60 万来自一款工具,约 30 万来自另一款。两款工具均提供了真实的 AI 功能,均在 Chrome 网上应用店上架,均积累了大量用户。

数据窃取在安装后 30 分钟内即告完成。当研究人员发现这些工具时,近百万用户已经失去了对其 AI 聊天记录的控制权,其中包括他们输入的所有敏感内容。

Incogni 2025 年研究还发现,67% 的 AI Chrome 扩展程序会收集用户数据,但各工具在收集行为、信息披露及数据流向方面差异显著。请参阅我们的安全与合规概览,了解浏览器层面的控制措施与依赖各工具自身行为管理之间的区别。

企业治理框架

全面禁止浏览器扩展程序并不现实,成本过高。正确的应对方式是建立一套治理框架,将风险敞口限制在经过审核的授权工具范围内——尤其是 AI 工具。

扩展程序白名单管理。 明确规定企业设备上允许使用哪些扩展程序,新增工具须经安全审查方可列入。通过 Chrome 企业政策阻止安装白名单以外的工具。

对 AI 工具实施更严格的审查。 凡是处理 AI 提示词的扩展程序,均须接受额外审查:检查网络流量以确认数据去向,核查完整权限范围,验证发布者身份。

浏览器层面的技术控制。 对于已审批的 AI 工具,在敏感内容到达 AI 服务商之前实施拦截控制,从而无需依赖每款扩展程序自身的行为规范。

83% 未审计的问题不是用户能够自行解决的。用户无法独立审计 Chrome 扩展程序。企业治理——审批清单、政策执行与技术管控——才是可靠的解决之道。更多内容请参阅我们的 FAQ浏览器 DLP 术语表

anonym.legal 的 Chrome 扩展程序在浏览器本地执行 PII 扫描。扫描过程中,聊天内容不会传输至 anonym.legal 服务器。发送至 AI 服务的是经过脱敏处理后的提示词。

参考来源

相关文章

人工智能安全

AI Coding Assistants Leak Production PII

Unit test fixtures with real customer records. Log files with production data for debugging. GitHub found 39 million secrets leaked in 2024.

人工智能安全

Internal Wiki PII: Confluence Customer Data

Support teams document processes with screenshots of customer accounts. Over 3 years, that's thousands of GDPR data minimization violations in your.

人工智能安全

Screenshot PII: Leaks in Internal Tools

Slack, Teams, Jira, and email regularly receive screenshots containing customer PII. This access-control violation bypasses every DLP tool.

准备好保护您的数据了吗?

开始使用 285 种实体类型在 48 种语言中匿名化 PII。

开始免费试用查看功能

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.