Summary
Web browsers have become one of the most overlooked security blindspots in modern enterprises. While extensions and add-ons promise convenience, they also introduce serious vulnerabilities that attackers are actively exploiting. Recent studies show hundreds of millions of Chrome users have unknowingly installed malicious extensions, while advanced groups like Scattered Spider have weaponized browsers to steal credentials and bypass identity controls.
In this blog, CTO Barry Rooney shares why extensions are a personal “bugbear” and argues that strict governance is often the only safe path. We explore how browser-based attacks work, why traditional defenses miss them, and what IT leaders can do to protect their organizations.
The article concludes with a clear call to action: uncover hidden risks by requesting a free external risk assessment.
Web browsers are central to enterprise operations, from SaaS access to modern workflows. Yet they are also one of the most overlooked security blindspots. A 2024 study found that more than 280 million Google Chrome users installed dangerous extensions that harvested browsing data and tracked user behavior (Forbes). In 2025, researchers revealed how attackers hijacked 35 popular Chrome extensions, turning them into spyware via malicious updates pushed through the Chrome Web Store (BleepingComputer).
“I have a personal bugbear with web extensions, plugins, and add-ons. They’re horrendous, not just for cybersecurity, but for performance. Too many cloud providers push add-ins as a way to deploy apps, bypassing established controls. For some companies, it is a real mess.”
— Barry Rooney, CTO
This perspective highlights a critical reality: browsers and the add-ons that extend them are not just productivity tools but a significant attack vector.
The Blindspot: How Attackers Exploit Browser Add-ons
Browser extensions and plugins often request broad permissions such as access to browsing history, clipboard data, and local file systems. Once compromised, these permissions enable attackers to exfiltrate data, hijack sessions, and even redirect users to malicious domains. Because updates are silent, users rarely notice when legitimate tools are weaponized (The Hacker News).
The hijacking of 35 Chrome extensions in 2025 illustrates the severity. Trusted add-ons became spyware overnight, injecting malicious ads, stealing cookies, and capturing keystrokes while bypassing endpoint detection systems.
Scattered Spider: A Case Study in Browser-Centric Attacks
The hacking group Scattered Spider shows how attackers exploit the browser as an identity and access weak point. Since 2022, the group has used social engineering and phishing to trick IT helpdesk staff into resetting credentials or bypassing MFA (CyberScoop). By harvesting stolen browser sessions, tokens, and auto-filled credentials, they bypass hardened identity controls.
Scattered Spider has disrupted operations at MGM Resorts, Marks & Spencer, Harrods, and WestJet, among others (Cybersecurity Dive). Their methods often involve browser-in-the-browser (BitB) attacks, making phishing pages indistinguishable from legitimate login prompts (Seraphic Security).
This is why browsers are more than productivity tools. They have become a frontline in identity-focused cyberattacks.
Why Traditional Defences Fall Short
Most endpoint detection and response (EDR) tools, firewalls, and MDM platforms were not designed to monitor browser extensions or inspect web session behavior. Browsers are treated as trusted gateways, making them ideal for stealth attacks. Scattered Spider and other groups exploit this gap by operating inside the browser where traditional defenses cannot see.
A Multi-Layered Strategy to Secure Browsers
Addressing browser vulnerabilities requires intentional governance and monitoring:
- Enforce Extension Governance
Restrict installations with a strict allowlist. As Barry Rooney notes, blocking unverified add-ons may be unpopular but often necessary.
- Adopt Browser Security Platforms
Use enterprise browser security tools that provide visibility into extension use, permissions, and unusual activity.
- Threat Hunt for Browser Abuse
Proactively monitor for anomalies such as unexpected data exfiltration, credential reuse, or malicious redirects.
- Educate Employees
Train staff to recognize phishing attempts and avoid installing unverified add-ons.
- Conduct External Risk Assessments
Simulate attacks and perform regular assessments to uncover hidden browser blindspots.
Closing the Browser Blindspot
Browsers have evolved into dynamic platforms and, unfortunately, into critical attack surfaces. The rise of malicious extensions and groups like Scattered Spider demonstrates that browser vulnerabilities are no longer hypothetical. They are being exploited now.
As Barry’s warning suggests, IT leaders must stop treating browsers as a passive layer. Instead, they must govern, monitor, and defend them with the same rigor as any enterprise system.
Take the next step to protect your organisation. Request your free external risk assessment (before 31.10.2025) and uncover hidden browser vulnerabilities before attackers do.