AboutBlogBusiness First AIFounder FreedomBook a conversation

Browser plugins, AI extensions and the data you did not realise you were sharing

May 11, 2026
A business owner and a colleague leaning over a laptop together with a browser extensions panel visible on the screen and a notebook beside the laptop
TL;DR

Browser extensions, including the AI sidebars, summarisers and writing helpers your team installed on their own, read the content of every web page, every form field and often the clipboard. Across a small team, the aggregate exposure is usually larger than the headline AI tools the owner is worried about. A twenty-minute audit and a five-question checklist before any new extension goes on a work laptop closes most of the gap.

Key takeaways

- A browser extension with broad permissions can read the content of every web page the user visits, every form field as it is filled in, and in many cases the clipboard and the navigation history. - The risky categories are sidebar AI assistants, autocomplete and writing helpers, meeting transcribers, screen-capture tools and email or CRM assistants. The safer categories are scoped to one site or one task, like a password manager or a single-vendor sidebar. - A LayerX survey published in 2025 found 99% of enterprise users have at least one extension installed and 53% of installed extensions can reach sensitive data. The aggregate across a five-person team is usually larger than the owner expects. - The Cyberhaven Christmas 2024 supply-chain attack compromised at least 35 extensions with a combined 2.6 million installs, and a March 2026 Microsoft Defender report flagged malicious AI-assistant extensions reaching 900,000 users. Long-standing extensions can be turned malicious overnight. - The audit takes twenty minutes. Open chrome://extensions or about:addons on each machine, list what is there, ask five questions per extension, remove anything that fails them, and write down which extensions are approved.

Six weeks ago, somebody on the team installed a browser AI assistant. It promised to summarise long client emails, draft replies and pull the key points out of attachments. Everyone liked it. Two more people installed it. Nobody read the permission warning, which said it could read and change data on every website visited, because that warning has worn out its meaning. The owner has not looked at it. She would not know where to look. The extension has, in the intervening six weeks, sat quietly inside the browser of three people, reading every page they have opened.

That story is close to the median pattern for a small services firm in 2026. The extensions are useful, they are easy to install, and they sit much closer to the firm’s data than the chatbots the owner is actually worried about.

What does a browser AI extension actually have access to?

Once installed with default permissions, a browser extension can read the content of every web page, every form field as it is being typed, and often the clipboard and the navigation history. Some extensions can also inject code into pages, so they can change what the user sees or capture what they enter. The install-time permission warning is technically accurate, and after a year of clicking “Allow” it has worn out its meaning.

The asymmetry matters because the user only sees one tab at a time. The extension sees every tab. When somebody has their email, their CRM, their bank, their client portal and a HMRC return all open in the same session, an extension with broad permissions sees all of them. The LayerX Browser Security Report for 2025 found that 99% of enterprise users had at least one extension installed and 53% of installed extensions could reach sensitive data such as cookies, passwords and page contents. Across a small team with five or six extensions each, the aggregate footprint is large.

Which categories are typically safe, which are typically risky, and which sit in between?

The lower-risk extensions are scoped to one site or one task, like a password manager on login pages or an ad blocker maintained by a non-profit. The higher-risk categories are sidebar AI assistants, autocomplete and writing helpers, meeting transcribers, screen-capture analysers, and email or CRM AI helpers. The in-between are page summarisers, which read the current page on demand and transmit its content to a remote model.

A useful framing is what the extension would have to send to a third-party server to do its job. A password manager sends nothing during normal browsing. A page summariser sends the content of one page each time you click the button. A sidebar assistant has the standing capability to send any page, at any time, depending on what the user invokes. A writing helper sends, on principle, everything the user composes in a web form. The risk grade tracks the data flow, not the marketing description.

How do you audit what your team actually has installed?

Open chrome://extensions in Chrome, about:addons in Firefox, or the Extensions preference pane in Safari on each machine, and screenshot the list. For each extension, note the name, the developer, the date it was last updated and the permissions it requests. If you run managed devices through Google Workspace or Microsoft 365, the admin console gives you the same view centrally. For a five-person firm without managed devices, the sweep takes twenty minutes.

What you are looking for is the inventory itself. Owners doing this for the first time commonly find at least one extension nobody on the team can explain. They also find a long tail of extensions that have not been updated for over a year, which the LayerX research found accounts for 51% of installed extensions in the average organisation. Out-of-date extensions are not automatically dangerous, but they are an unmaintained dependency sitting inside your firm’s data path. The audit is what makes the rest of the conversation possible. Without it you are guessing.

When should you allow a new AI extension on a work laptop, and when should you decline?

Before any new AI extension goes on a work laptop, ask five questions. What specific data will it read. Where does that data travel. Who is the developer. What is the retention policy. And does the function genuinely require the permissions it is asking for. If you cannot answer three of these in under ten minutes on the developer’s privacy page, the extension is not ready for business use yet.

The five questions are not theoretical. The ICO’s guidance on controllers and processors is explicit that the firm pasting client data into a third-party tool remains the controller, and the third party is acting as a processor whether or not anyone signed an agreement. The NCSC’s browser security guidance recommends an approvals process for any extension that touches business systems. Where a developer cannot point you at a Data Processing Agreement and a clear retention statement, the legal default is that your firm is processing personal data without a lawful basis. That is the same exposure that applies to chatbots, but extensions tend to slip in under the radar because there was no procurement step.

What do you do when you find an extension that should not be there?

Remove the extension first, before anything else, to stop the data flow. Then check the browser’s history and saved sessions for the period it was installed, clear cached data, and rotate passwords for any sensitive accounts the user logged into. If the developer has had a documented security incident in the last twelve months, treat any active session during that window as potentially compromised and reset its credentials.

The Cyberhaven supply-chain attack in late December 2024 is the textbook case. A trusted security extension was hijacked through an OAuth phishing attack on the developer, and the malicious version was live for around twenty-four hours over the Christmas weekend when many security teams were on holiday. The same campaign went on to compromise at least 35 extensions with a combined 2.6 million installs. A separate Microsoft Defender report in March 2026 documented malicious AI-assistant extensions reaching around 900,000 users, harvesting LLM chat content and browsing data from inside enterprise sessions.

Then have the conversation with the team member who installed it. The tone is curiosity, not reprimand. There was a real productivity reason the extension went on, and that reason has not gone away. Replacing it with a sanctioned tool, or writing a short paragraph into the firm’s minimum viable AI policy about what categories of extension are allowed, is the durable fix. If you have not got that policy yet, this audit is usually the moment to write it.

If you have done the sweep and are not sure which of the extensions on the list are worth keeping, which need replacing, or how to set the firm up so this does not happen again next quarter, book a conversation.

Sources

- LayerX Security (2025). Browser Security Report 2025. Survey finding that 99% of enterprise users have at least one extension installed and 53% of extensions can access sensitive data including cookies, passwords and page contents. https://go.layerxsecurity.com/hubfs/Browser_Security_Report_2025.pdf - National Cyber Security Centre (2024). Managing web browser security. UK government guidance on browser configuration, extension approval processes and prompt patching for small organisations. https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/managing-web-browser-security - Information Commissioner's Office (2024). Controllers and processors. The UK regulator's guidance on the legal duties an organisation carries when a third party processes personal data on its behalf, including extension providers. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/ - Darktrace (2025). Cyberhaven supply chain attack, exploiting browser extensions. UK cyber-security firm's account of the December 2024 compromise and the sustained data exfiltration observed in customer environments. https://www.darktrace.com/blog/cyberhaven-supply-chain-attack-exploiting-browser-extensions - TechMonitor (2025). Hackers compromise 35 Chrome extensions, exposing 2.6m users. UK trade-press coverage of the OAuth phishing campaign that injected malicious code into 35 legitimate extensions. https://www.techmonitor.ai/cybersecurity/35-chrome-extensions-hacked/ - Microsoft Security (2026). Malicious AI assistant extensions harvest LLM chat histories. Microsoft Defender research documenting AI-assistant extensions reaching around 900,000 installs and exfiltrating chat content. https://www.microsoft.com/en-us/security/blog/2026/03/05/malicious-ai-assistant-extensions-harvest-llm-chat-histories/ - Google (2025). Chrome enterprise extension management. Admin Console controls for inventorying, blocking and force-installing extensions across a managed device fleet. https://support.google.com/chrome/a/answer/9296680?hl=en - Microsoft Learn (2025). Manage Microsoft Edge extensions in the enterprise. Group Policy and Intune controls for permission management and blocklist enforcement on Edge. https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions - Malwarebytes (2025). Millions of people spied on by malicious browser extensions in Chrome and Edge. Coverage of the RedDirection campaign affecting 2.3 million users through previously legitimate sleeper-agent extensions. https://www.malwarebytes.com/blog/news/2025/07/millions-of-people-spied-on-by-malicious-browser-extensions-in-chrome-and-edge

Frequently asked questions

Is an AI sidebar in the browser actually riskier than just using ChatGPT in a tab?

Usually yes. A sidebar extension requests permission to read the content of every web page, which means it can see your CRM, your inbox, your accounting system and your client portals, not only the chatbot session. ChatGPT in a tab only sees what you paste in. Sidebars are convenient because they can read the current page on demand, but the price of that convenience is constant access to everything the browser sees. For a small firm handling client data, that distinction matters.

How do I find out what is actually installed on my team's machines without a managed device platform?

Ask everyone to open chrome://extensions, about:addons in Firefox, or the Safari Extensions preference pane on their work laptop, screenshot the list, and send it to you. It is a twenty-minute job for a five-person firm. You are looking for the name, the developer and the permissions of each extension. Most teams discover at least one extension nobody can explain. If you are on Microsoft 365 with Edge or on Google Workspace with managed Chrome, the admin console gives you the same view centrally.

One of my team installed an AI extension six weeks ago. Should I just remove it?

Probably, then have the conversation afterwards. The order matters. Remove the extension first to stop further data leaving the browser, clear the user's browser history and saved sessions for the period it was installed, and rotate any passwords for accounts the user logged into during that time. Then sit down with the team member and ask what problem the extension was solving. There is usually a real productivity gap underneath, and the goal is to meet it with a tool that has a data agreement, not to lecture someone for trying to work faster.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

An owner at her desk with two printed documents in front of her, a tools register and a policy, a pen resting on the page and a mug of tea nearby

The audit trail an SME actually needs, and the one it does not

Enterprise content tells SMEs to log every AI prompt and response. The proportionate audit trail for a 12-person firm is two pages of standing documentation plus a short per-incident note.

A founder and an operations lead at a meeting table with a printed two-page draft between them, two coffee mugs and a notebook, mid-conversation

Your minimum viable AI policy as a small business

Many published AI policy templates are sized for HR and legal teams. The version that fits a 5 to 50 person firm is two pages, plain language, five sections, drafted in ninety minutes. Shorter than expected, longer than the typical SME currently has written down.

A woman at her office desk in late afternoon writing in a notebook with four hand-drawn columns labelled UK, EU, US, Canada, a closed laptop and a half-drunk mug of tea to one side

Serving customers across borders, the multi-jurisdiction AI compliance picture for SMEs

Owners running across UK, EU, US and Canadian customers are managing four overlapping AI rulebooks at once, often without realising it. Here is the proportionate response, with the cases where it does not work.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd