Browser extensions feel harmless — a small icon in the toolbar, a bit of extra functionality. But from a security standpoint, they’re miniature SaaS vendors installed inside your browser with access to the pages you visit, the credentials you type, and the cloud applications you use throughout the day.
Most businesses don’t have a formal process for reviewing them. Someone installs a grammar checker, a productivity timer, or a meeting notes tool, and it joins the environment with no questions asked. The extension might be exactly what it claims to be. Or it might be over-permissioned, poorly maintained, or — in some cases — deliberately malicious.
Here’s a five-minute check you can run before installing any browser extension.
1. Who built it?
Start with the developer. A legitimate extension should have a recognisable publisher — a real company name, a consistent web presence, and contact details that check out. Extensions published by individuals with no track record, or with names that don’t match the website they’re supposedly associated with, warrant extra scrutiny.
Check when the extension was last updated. An extension that hasn’t been touched in two or three years is a risk — not because old software is inherently bad, but because unmaintained code doesn’t receive security fixes.
2. What does it actually say it does?
Read the store listing properly. A quality extension explains clearly what it does, what data it handles, and whether it shares anything with third parties. Vague descriptions like “enhances your browsing experience” without specifics are a warning sign. If the developer can’t explain what the tool does in plain language, you shouldn’t install it.
3. What permissions is it asking for?
Permissions are the most important control point. Check carefully:
- “Read and change all your data on all websites” — this is broad access. Is it justified by the extension’s function?
- Access to browsing history — why would a grammar tool need this?
- Access to tabs and navigation — legitimate in some cases, but worth understanding why.
The rule of thumb: if the permissions requested go beyond what the stated function requires, don’t install it. A PDF viewer doesn’t need access to your entire browsing history.
4. Does it change over time?
Legitimate extensions update for bug fixes and new features. Malicious or compromised extensions sometimes use updates to quietly expand their permissions or change what data they collect. If an extension you trust suddenly requests new permissions on update, investigate before accepting.
5. Make a decision
- Approve if the developer is credible, the purpose is clear, and the permissions match the function.
- Avoid if anything is unclear, the permissions are excessive, or the update history is stale.
- Escalate if the extension provides genuine value but has elevated permissions — get IT to review it for managed deployment rather than ad hoc installation.
Most browser extension incidents aren’t dramatic. They’re the result of someone installing something without checking, and that something quietly doing more than it should. A five-minute review before installation is a simple standard that significantly reduces the risk.
If you’d like help building an extension policy for your team, get in touch.