Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Chrome AI assistant extensions: are your browser controls keeping up?


(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Browser extensions have become identity-adjacent control points, not harmless productivity add-ons. When an extension can read authenticated page content, inject UI, and relay data to mutable backend infrastructure, it is operating inside the access path, not beside it. That means browser governance now belongs in the same conversation as session control, secret exposure, and delegated access. Practitioners should treat extension runtime behaviour as part of identity risk management, not as a separate endpoint hygiene issue.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: How can organisations detect extension spraying across multiple browser listings?

A: Organisations should compare code fingerprints, permission sets, backend domains, and update behaviour across all browser extensions in use. Extension spraying usually hides one operator behind many listings, so a name-based review misses the pattern. The goal is to detect shared infrastructure and revoke the whole cluster, not just one visible extension.

👉 Read our full editorial: Fake AI assistant extensions turn Chrome into a data broker



   
ReplyQuote
Share: