Chrome, Edge, Firefox Warning—99% Of Browsers Now At Risk
Why you need to change your browser
getty
Sometimes the most dangerous risks are those we think least about, lurking behind the scenes in the apps and platforms we use daily. While the malware attacking our phones generates headlines, that's rarely the case with the permission abuse that affects most users, almost all of the time. And while secretive tracking and malware attacks on our browsers prompt update warnings and settings changes, that's still not true with a threat that's just as pervasive and is now a major threat to users worldwide.
We're talking extensions, which have finally come into view in the last year as popular add-ons are hijacked to threaten those using them. And while Google is fighting back, it's clear that this attack surface remains wide open to exploit. That's certainly the new warning from the security research team at LayerX, which is in the business of securing enterprises from extension exposure.
The team warns that 'most users don't realize that browser extensions are routinely granted extensive access permissions that can lead to severe data exposure should those permissions fall into the wrong hands.' And when those extensions are trivial, just as with mobile apps, that's an easy trojan horse into an enterprise. 'Users often use such extensions to fix their spelling, find discount coupons, or other productivity uses… This is particularly a risk to organizations since many organizations do not control what browser extensions users install on their endpoints.'
This follows a similar warning from CrowdStrike a few weeks ago. 'While it's common for users to install browser extensions to tailor their online experience to better meet their needs and preferences, these tools also carry significant security risks. Browser extensions are yet another avenue that can be exploited by cyber attackers or act as a vehicle for malware.' Which means that 'to reduce the attack surface and limit potential vulnerabilities, users should install only essential browser extensions.'
There are frequent warnings that connecting your own phone to your employer's networks and systems exposes the company to your own security weakness. The same is true of extensions. 'A compromised browser extension of an individual user can lead to exposure and breach of the organization as a whole.'
Most people reading this will give little if any thought to extensions. But given the stark numbers in the research, you probably should. '99% of enterprise users have a browser extension installed in their browsers, and more than half (52%) of employees have more than 10 extensions installed.' And while official Chrome, Edge and Firefox stores are the 'most common source,' the threat 'is much wider than most users realize.'
The numbers are frightening.
LayerX
Not to state the obvious, but this means that almost every organization is exposed, relying on corporate IT defenses to ensure endpoint integrity across all those users. Unless their desktops are completely locked down, which doesn't happen often.
LayerX reports that '53% of enterprise users have installed a browser extension with 'high' or 'critical' risk scope, meaning that such extensions have access to sensitive data such as cookies, passwords, web page contents, browsing information, and more, putting users at risk of credential theft or data exposure.'
And again, just as with mobile apps the red flags are all in plain sight. More than half of extension publishers hide behind little more than a free Gmail account, more than three-quarters have a single extension under their name, and most don't even have a privacy policy to review.
While other browsers are vulnerable to extension abuse, this is really all about Chrome which dominates the install base. 'Securing Chrome browsers should be an organizational security team's #1 priority,' LayerX says.
This is such a fragmented market that it's little surprise to read these findings. The vast majority (95%) of Chrome extensions 'have fewer than 10,000 installs' and only 0.2% have 'more than one million users.' There is not the same level of awareness and user savvy we see on mobile phones and apps, which are still highly vulnerable.
As Bleeping Computer warned earlier this year, the recent exposure of cybercriminals hijacking extensions 'sheds a spotlight on the identity risks posed by browser extensions, and the lack of awareness that many organizations have about this risk.'
The one key recommendation is that enterprises need a better sense of their risk. And that means auditing or shutting down their extensions in use. And home users should limit extensions to those they need and can categorically trust.
'Many organizations don't have a full picture of all extensions that are installed in their environment,' LayerX says. 'Many organizations allow their users to use whichever browsers (or browsers) they wish to use and install whatever extensions they want. However, without a full picture of all extensions on all browsers of all users, it is impossible to understand your organization's threat surface.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Android Authority
33 minutes ago
- Android Authority
Get a Google Pixel Fold for a mere $500!
Edgar Cervantes / Android Authority The Google Pixel 9 Pro Fold is fantastic, but not everyone needs the latest and greatest, especially when the retail price is a whopping $1,799. It's on sale right now, but it's still $1,499! I don't feel very good about spending that much on a phone, but $500? That sounds more like it. The previous-generation Google Pixel Fold is just $499.99 on Woot!, and it is still a pretty awesome phone! Buy the Google Pixel Fold for just $499.99 ($1,299.01 off) This offer is available from Woot!. You have to keep in mind that this is a refurbished device, but the deals website mentions that these units are in A+ condition. They are 'sourced from a returns program' and have been very lightly used. They are inspected and in perfect working condition. You'll even get a 12-month warranty! There is a limit of three units per customer. Google Pixel Fold (Refurbished) Google Pixel Fold (Refurbished) Google enters the fold Google is hitting the foldables market in style with the Google Pixel Fold. The pricey book-style phone brings Google's elite photography smarts to the folding form factor, plus the Tensor G2 chip, an IPX8 rating for water resistance, and a huge 7.6-inch AMOLED 120Hz internal display. See price at Woot! Save $1,299.01 If you can get past the fact that these are refurbished, you are in for a really nice deal. Before the Pixel 9 Pro Fold launched, the Google Pixel Fold was among the best foldable phones. While there is a newer model now, that is all that's changed! The Google Pixel Fold is still a nice foldable handset. It looks and feels great, offering an aluminum frame and Gorilla Glass Victus construction. Of course, the highlight here is that large internal display, which measures 7.6 inches. This is an OLED panel with a 2,208 x 1,840 resolution and a smooth 120Hz refresh rate. And if you don't feel like unfolding the phone all the time, you can use the external display, which measures 5.8 inches. It has a Full HD+ resolution and a 120Hz refresh rate. Pixel Fold While it is older, the performance is still pretty good, thanks to the Google Tensor G2 and 12GB of RAM packed inside. The one downside is that it only has a three-year update promise, so it should get up to Android 16. That said, that still gives it a couple of years of life or so. Not to mention, it did get a security update promise of five years, which means it will stay secure for much longer. Because it is a Pixel, you'll get a clean UI and some really nice Pixel-exclusive features. It also has a decent camera system, and during our tests, we were able to easily get about a full day of battery life on a full charge. This is a really affordable way to get into the foldable smartphone game. So make sure to sign up for the offer while you can! I am honestly considering it, too.
Yahoo
41 minutes ago
- Yahoo
Reddit suing AI startup Anthropic for breach of contract, using data without authority
SAN FRANCISCO (KRON) — Social media company Reddit has filed a lawsuit against artificial intelligence startup Anthropic for breach of contract. The lawsuit, which was filed in San Francisco on Wednesday, accused the AI company of scraping Reddit user comments to train its chatbot 'Claude.' The suit alleges that Anthropic has been training its AI models using the personal data of Reddit users without their consent. Reddit alleges it has been harmed by the unauthorized use of its content and user data. Bay Area tech layoffs: Google, Microsoft, Cruise all announce job cuts In the lawsuit, Reddit refers to Anthropic as a 'late-blooming artificial intelligence company that bills itself as the white knight of the AI industry.' Reddit-lawsuitDownload 'It is anything but,' the lawsuit states before going on to allege that the AI startup is 'intentionally trained on the personal data of Reddit users without ever requesting their consent.' The lawsuit also alleges that despite Anthropic saying it had blocked its bots from accessing Reddit, the bots have hit Reddit's servers over 100,000 times since July of 2024. Reddit also alleges that unlike its competitors, Anthropic 'has refused to agree to respect Reddit users' basic privacy rights.' The suit further alleges that Anthropic has trained its AI 'on one of the most robust online discussion platforms in the world — Reddit has entered into formal partnership with some of Anthropic's competitors, namely Google and OpenAI. This partnership, the suit explains, allows them to use public Reddit content after agreeing to Reddit's licensing terms. In the lawsuit, Reddit said it is seeking compensation for damages and to prohibit Anthropic from using any Reddit data or content for its commercial offerings or profit. The lawsuit is demanding a jury trial. KRON4 reached out to Anthropic and received the following response: 'We disagree with Reddit's claims and will defend ourselves vigorously.' Reddit and Anthropic both have their headquarters in San Francisco. The Associated Press contributed to this report. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Business Insider
an hour ago
- Business Insider
Inside KPMG's $100 million AI investment: How Google Cloud's partnership is fueling the firm's new AI services
KPMG is a professional services company and one of the Big Four accounting firms in the US. It offers audit, tax, and advisory services to organizations in multiple sectors, including healthcare, finance, banking, and more. KPMG has more than 90 offices and 36,000 employees in the US. It also operates in more than 140 countries. Situation analysis Steve Chase, vice chair of artificial intelligence and digital innovation at KPMG, said part of the company's business involves helping organizations across industries modernize their operations with technology, including their accounting systems and customer service. Recently, Chase said more clients have sought assistance in incorporating artificial intelligence and cloud services into their digital transformation strategies. To help, KPMG announced an expansion of its partnership with Google Cloud in November to advance GenAI, data analytics, and cybersecurity for its clients. The expansion includes a $100 million investment in KPMG's Google Cloud practice. Chase said the goal is to tailor AI services to specific customers, business models, and industries so that these organizations can use AI to improve their businesses, such as by speeding up data analysis. The expanded Google Cloud partnership will initially focus on clients in the retail, healthcare, and financial services industries. Key staff and partners Chase said KPMG has been using AI for several years and has had a long-standing relationship with Google. In 2024, KPMG created the Google Cloud Center of Excellence to combine Google's AI technologies with its own expertise to help clients use AI to boost their businesses. Its latest partnership expansion involves creating new AI tools. KPMG also works with Microsoft, Amazon Web Services, and other tech companies on other AI-related projects. AI in Action KPMG has been using Google Cloud's Vertex AI Search, an AI development platform for building and using GenAI, internally to connect and analyze its vast amount of data. Chase said the company is using this information to develop GenAI agents for clients, such as chatbots to answer questions or tools to gather and analyze data, to address various business challenges and expand capabilities. For example, Chase said KPMG is using Vertex AI and Gemini, a Google Cloud AI-powered assistant, to help financial services companies automate tasks that have been cumbersome for humans, including fraud detection and loan applications. Chase added that KPMG also built an AI "store performance analyzer" for a large retailer. The tool allows the company to use automation to speed up and combine information from store locations, such as inventory levels, sales data, and details about the location, to determine how it performs compared to other stores. "It's able to actually do a detailed analysis in a fast way," which used to be completed by a team of people and take longer, Chase said. "Now, the people involved are actually reviewing the results, as opposed to doing all the manual work of pulling all the data together." For healthcare clients, KPMG is using Google Cloud's Healthcare API to develop AI tools that help doctors improve disease detection, treatment, and overall patient care. Did it work, and how did leaders know? Chase said that KPMG's partnership with Google Cloud could drive $1 billion incremental growth for the firm. "We've been super pleased with how it's going," he said. While he said the company couldn't disclose specifics on how it'll reach this figure, he said it will be a multi-year initiative that involves adding new clients and expanding the AI services it offers to existing companies. KPMG continues to roll out new AI initiatives. In April, the company announced another expansion of its collaboration with Google Cloud on AI tools for the legal and banking industries. KPMG also announced that it's joining the Google Cloud Security Partner Program to enhance cybersecurity for its clients.
