Why extensions remain the soft underbelly
Browsers sandbox web pages, but extensions often run with elevated privileges: read and change data on sites you visit, capture screenshots, or proxy traffic through vendor servers. Manifest V3 reduced persistent background pages and pushed toward service workers, yet many productivity extensions still request `<all_urls>` because users expect them to work everywhere. A password manager, grammar checker, and coupon finder on the same profile can collectively see every URL, form field, and DOM mutation you produce in a workday.
Treat extensions like junior sysadmins. Each one should have a named owner, a business justification, and a quarterly re-approval—not indefinite install-and-forget.
Reading the permission manifest without jargon
Chrome and Firefox detail permissions in the store listing and in `chrome://extensions` → Details. Watch for these high-risk patterns:
- Read and change all your data on all websites — full browsing visibility; only password managers and serious accessibility tools merit this, and even then prefer domain-scoped alternatives.
- Read your browsing history — often unnecessary for stated features; ask why the vendor needs history versus active-tab access.
- Communicate with cooperating native applications — bridge to desktop apps expands attack surface if the native component is outdated.
- Debugger — legitimate for devtools extensions; alarming on shopping assistants.
Manifest V3 limited remotely hosted code, which closes one abuse path, but extensions can still fetch configuration JSON that enables features later. Review update changelogs when extensions auto-update.
Audit workflow for a five-person team
1. Export a list of installed extensions from a reference machine using admin policy or a scripted inventory.
2. Classify each as required, optional, or banned (crypto miners, unknown coupon bars, duplicate ad blockers).
3. For required extensions, document the vendor's privacy policy, data retention, and whether content is sent to third-party LLMs.
4. Test removal on a staging profile: does payroll, CRM, or SSO break?
5. Publish an allowlist internally; block store installs via policy where MDM supports it.
Families can run a lighter version: one evening, remove every extension nobody can name, then reinstall only what they miss.
Case study: the harmless PDF converter
A marketing contractor installed a "free PDF merge" extension with four-star reviews. It requested broad host access and shipped minified code that phoned home nightly with visited domain tallies—useful for ad targeting, useless for PDFs. Replacing it with a local desktop tool eliminated the leak without changing workflow. The lesson: host permissions should match the smallest set of domains needed (`https://mail.google.com/*` not `<all_urls>`).
Enterprise controls that actually help
Managed Chrome policies can force extension allowlists, block inline installs, and separate work profiles from personal browsing. Firefox ESR offers similar GPO templates. None of this helps remote contractors on personal laptops unless you pair policy with DNS filtering and SSO device posture checks.
Educate staff on sideloading: unpacked extensions bypass store review entirely. If developers need React DevTools, distribute a signed build rather than trusting random ZIP files in Slack.
FAQ: common pushback
Our blocker needs all URLs. Fine—ensure it is the only extension with that scope and verify it does not also sync browsing data to a vendor cloud.
Grammar tools need page text. Prefer vendors that document on-device processing or explicit redaction of password fields.
Can we trust store badges? Verified publisher helps; it is not a security audit. Read recent one-star reviews mentioning permissions.
Maintenance rhythm
Calendar a quarterly extension review the same week you rotate passwords on shared service accounts. Remove extensions tied to abandoned projects, pin versions for critical tools if your policy allows, and investigate any extension update that suddenly requests new permissions—legitimate features sometimes need them, but so do hijacked maintainer accounts.
A lean browser profile loads faster, breaks less after OS upgrades, and shrinks the data envelope when a vendor is breached.
School Chromebook fleets
Districts managing thousands of Chromebooks should use Google Admin console extension allowlists updated each semester. Teachers requesting new tools submit a one-page justification reviewed by IT and curriculum leads—not approved ad hoc during class.
Incident response when an extension goes rogue
Disable via policy, capture version hash, notify users with plain steps to export any data they entered into the extension, and open a vendor ticket if paid. Rotate passwords for sites the extension could have read in the last seven days.
Comparison: enterprise versus personal profiles
Keep work extensions out of personal Chrome profiles entirely. Synced personal profiles can leak corporate URLs through extension telemetry even when employees work from home on personal laptops with dual profiles poorly separated.
## Manifest V3 service worker limits
MV3 caps background persistence—extensions may batch data differently than MV2, changing exfiltration timing. Security reviews should read minified service worker updates in diff tools during extension upgrades, not only manifest permission changes.
Procurement for paid extensions
Paid grammar and meeting-recorder extensions need vendor security questionnaires like any SaaS. Finance approves spend while IT unaware of `<all_urls>` scope—centralize extension purchases through IT catalog.
## Red team exercise
Security intern attempts to publish a harmless internal extension requesting all URLs—see how many employees install from phishing email simulation. Results drive policy better than slide decks.
Extension sprawl after acquisitions
Mergers combine Chrome profiles and extension policies—harmonize allowlists before SSO integration week, not after helpdesk melts down.
Extension audit FAQ
How often to re-audit? Quarterly or after any browser major version upgrade.
Are uBlock and password managers safe? Generally reputable; still verify publisher and update channel.
Can IT see personal extensions? On managed devices yes—use separate profile for personal browsing.
What about Safari extensions? Audit separately—smaller ecosystem, different permission strings.
Should developers have all-urls access? Only dedicated security-reviewed dev profiles.
Unpacked extensions? Ban in policy except signed internal builds distributed via MDM.
Extension was sold to new owner? Treat as incident—review changelog and permissions immediately.
Firefox containers help? Yes for separating work and personal sessions on one browser.
## Closing notes on browser extension permissions audit
Extension audits are boring security work with high payoff because one malicious `<all_urls>` grant sees more secrets than a phishing email. Teams that institutionalize quarterly reviews and allowlists sleep better when npm or Chrome store incidents trend on Twitter. Individuals can adopt the same discipline: fewer extensions, pinned updates, and skepticism toward shiny new sidebar AI tools that request everything.
## Extra context for browser extension permissions audit
Enterprise security teams should align extension policy with SaaS SSO reviews—both expand the browser trust boundary. When Okta or Azure AD session cookies live in the same profile as a coupon extension with all-urls access, attackers need only compromise the extension supply chain to pivot into payroll or HR apps. Split profiles or dedicated managed browsers for high-risk apps reduce blast radius even if users complain about inconvenience. Document approved extensions in the same portal where staff request software—consistency reduces shadow IT installs during crunch weeks.
- Audit extensions quarterly with allowlists on managed devices.
- Treat `<all_urls>` as CEO approval tier.
- Remove extensions nobody can name in standup.
- Align extension policy with SSO risk.
- Test phishing installs with red team exercises.
- Document owner and business case per extension.
- Uninstall old MV2 abandonware before it breaks.
- Separate work and personal browser profiles.