Jul 2, 2025
Jul 2, 2025
Browser extensions are one of the most unmonitored identity-adjacent attack paths in SaaS, yet most security teams have no idea what’s installed or how much access it has.
Browser extensions seem harmless—just tools to block ads, clean up formatting, summarize, or translate web pages. But in reality, they are cloud-connected mini applications with access to everything users do in SaaS. Most people don’t think twice about installing a browser extension. In fact, nearly every enterprise user runs at least one, and the vast majority have ten or more installed across their devices.
But here’s the problem: even the extension stores themselves have started issuing warnings. In early 2025, Google removed a series of Chrome extensions that had quietly turned malicious after their developers’ accounts were compromised. By the time anyone noticed, more than 3.2 million users had been exposed to spyware-like behavior, including keystroke logging and stealthy data exfiltration.
Some of these extensions remained in the store for months, gathering thousands of reviews and high ratings. As Forbes reported, their malicious payloads often hid behind obfuscated code that only activated under certain conditions, making them nearly invisible to traditional security tools.
But they also open a door that no one is watching: browser extensions are one of the most unmonitored identity-adjacent attack paths in SaaS. They do not show up in the IdP, bypass EDR, and operate completely unmanaged. And the scary part? Most security teams have no idea what’s installed or how much access it has.
The short answer: A lot more than most people realize.
A browser extension is essentially a mini software program with hooks into your web activity. When a user grants it permission to “read and change data on all websites,” that’s not just some generic language. It means the extension can monitor everything from URLs visited to the contents of web forms—including names, passwords, session tokens, and confidential internal data viewed in tools like Salesforce, Google Workspace, or Jira.
Some extensions go further. They inject scripts into active SaaS sessions, scrape DOM content, capture session tokens, and manipulate page data silently. These actions often happen after authentication and are invisible to most detection tools.
That might sound technical, but here’s what it means: the DOM, or Document Object Model, is the browser’s behind-the-scenes map of everything on a web page. If you’re looking at a Salesforce record, the DOM includes the customer’s name, email, notes, deal size—every bit of visible (and sometimes hidden) data. When an extension reads the DOM, it’s effectively reading the screen—and not just passively. It can also manipulate that content, copy it, or send it elsewhere, without the user ever noticing.
Browser extensions aren’t just utilities; they’re SaaS applications in their own right—and dangerous ones at that. They connect to the cloud, store data, and operate with their own permissions and accounts. The difference is they don’t show up in your SaaS inventory. There’s no procurement process. No onboarding. Yet they can see—and in some cases, interact with—everything your users do across the SaaS apps they rely on.
And it doesn’t stop at DOM access. Other browser extensions quietly exfiltrate clipboard contents, take screenshots, or tap into browser APIs to learn what tabs are open, what services are being used, and even how long a user stays on a page. Some behave like lightweight keyloggers, logging inputs in login forms or password fields, or harvesting authentication tokens after a user has already passed MFA.
Here’s the kicker: a user might install an extension to fix one small annoyance, like formatting a CSV or summarizing a news article, and never think twice about what it’s accessing behind the scenes. Many of these tools are built by individual developers or small vendors with little to no security oversight. If one of those accounts gets compromised (or quietly sold), the extension can be updated with malicious code and re-deployed to every browser that installed it without the user doing anything.
In some cases, the extension itself starts out clean but later becomes malicious. This “extension hijacking” model is especially dangerous because it leverages trust and scale. By the time the payload arrives, the distribution is already done.
Here’s how one small extension can turn into a full-blown SaaS breach.
Lisa installs a Chrome extension to help format Google Docs. It looks legitimate: thousands of installs, strong reviews, and it's free. The permissions prompt says it can read and change data on all websites, but she clicks accept without a second thought.
What she doesn’t know is the extension was quietly updated after the original developer account was compromised. The new version includes obfuscated code that scrapes active session tokens from Google Drive, Salesforce, and Slack, then exfiltrates them to a remote server.
An attacker uses the stolen tokens to spin up a new browser session. No login screen. No MFA prompt. No alerts. The activity blends in with normal user behavior. Within hours, the attacker is accessing sensitive customer records and internal files. By the time anyone notices unusual activity, the damage is done—and the extension still works exactly as advertised.
Sound far-fetched? Guess what—it already happened.
In late 2024, CyberHaven experienced a breach almost identical to this. Employees had installed a benign Chrome extension that was later hijacked and updated with malicious functionality. Once active, it harvested OAuth tokens from Google Workspace, Slack, and Jira, allowing attackers to impersonate users and access customer and financial data without detection.
The breach went unnoticed for days. No malware was dropped. No phishing emails were involved. Just a trusted browser extension that turned rogue.
You might be thinking: don’t we already have protections in place for stuff like this?
Sure—your stack probably includes endpoint protection, network filtering, CASBs, and maybe a secure browser or two. But here’s the problem: most of those tools are blind to what’s happening inside the browser after login. Malicious extensions operate in that gray area after encryption, after authentication, and often without any binaries being dropped.
Blocking all browser extensions might sound like a clean solution. But in practice, it breaks workflows and frustrates developers, analysts, and sales teams. A better approach is visibility, context, and real-time decisions based on risk. Here’s what that looks like:
Start by building a complete inventory of browser extensions across the organization. Remember: these aren’t just browser tools. They're unmanaged SaaS apps inherently more risky than traditional ones. Extensions don’t just access data from one provider; they can see everything your users do across all SaaS apps. That’s why visibility here isn’t optional; it’s critical. You need to know what’s already installed, what’s being added, and what each extension is capable of. That includes permissions requested, who’s using it, how widely it’s deployed, and whether it’s linked to any known threats.
At Grip, we’ve taken a browser-native approach, observing extensions as they’re added or updated across Chrome, Edge, Brave, and others. No user prompts. No guesswork. Learn more about Grip’s native browser extension.
Some extensions are obvious red flags, but many fall into the “maybe” zone. Analyzing permission scope, vendor reputation, behavioral patterns, and org-wide usage makes it easier to separate harmless utilities from potential data exfiltration tools. Grip’s risk scoring lets you act accordingly, automatically blocking dangerous extensions, reviewing medium-risk ones, and approving the rest.
This is the blind spot most security tools miss. Once a token is issued, the IdP steps aside, and that’s where extensions strike. Look for solutions, like Grip’s ITDR 2.0, that can track session behavior after login: token anomalies, suspicious page activity, signs of impersonation. Real-time detection is critical to catching token theft before it becomes a data leak.
Instead of blocking everything, intervene when users are about to make a risky choice. A quick prompt explaining why a specific extension is dangerous (and offering a safer alternative) goes a long way. Education at the moment of intent is far more effective than security awareness training three months ago.
Browser extensions aren’t niche tools anymore; they’re deeply embedded in how people work. But that convenience comes with risk, especially when security teams don’t have visibility into what’s installed, what it can access, or how it behaves after login.
The attack surface has shifted. And while endpoint agents and network controls still matter, they can’t see what’s happening inside the browser. That’s where threats like token hijacking and data leakage quietly take shape.
The good news? This isn’t unsolvable. With the right visibility, context, and controls, it’s possible to manage browser extension risk without disrupting productivity and protect SaaS access where and when it happens.
Getting Started with SaaS Security is a practical guide to securing your SaaS environment without slowing down the business. Download your free copy now.
Getting Started with ITDR breaks down why other tools aren’t enough to stop today’s identity threats and how ITDR is changing security strategies.
Book time with our team of SaaS security experts if you’d like to discuss your security program and how Grip can help.
Fill out the form and watch webinar's video.
