That browser add-on is a software vendor sitting inside your browser

Browser extensions have a quiet reputation. A quick install, a small productivity boost, a little helper that lives in your toolbar. They feel too minor to think about.

In practice, a browser extension behaves more like a software vendor running inside your browser session. It can see what your staff see, interact with the pages they open, and in some cases reach the same cloud apps your business relies on all day.

What this actually looks like

Most teams in Melbourne's south-east install extensions the same way: someone finds a tool that saves a few minutes, clicks "Add to Chrome", and moves on. Multiply that across a team and you end up with dozens of add-ons nobody has reviewed.

The catch is that extensions are not just small apps. The browser grants them special permissions, and many of them ask for far more access than the feature needs. An add-on that only formats text might request the ability to read and change everything you do in the browser.

That access can mean reading data in your cloud tools, capturing what staff type into forms, or altering the content of a page. None of it announces itself.

Why it matters for your business

The browser is where your people spend their whole day, so it is the most sensitive place to hand out access. UC Berkeley's guidance notes that extensions receive special authorisations, and the more you install, the larger your attack surface gets.

OWASP describes the core issue as permissions overreach. Extensions can request access to all tabs, browsing history and sensitive user data, well beyond what they actually use.

There is also a change-over-time risk. A helpful extension today can update tomorrow and quietly gain new permissions or new behaviour. The tool you approved is not always the tool you keep running.

It only takes one over-permissioned add-on, or one bad update, to turn a small convenience into a real exposure. The fix is not a 40-page policy. A short, repeatable check stops most of these problems before they start.

What actually works: a 5-minute check

Give your team a quick routine they can run before installing anything. It keeps the productivity benefit while tightening control.

1. Vet the developer like a vendor. If you would not give a random supplier access to your customer records, do not give a random extension access to your browser. Confirm the developer has a real website, support details and a consistent name across listings. Prefer official stores over "download this .zip" links.

2. Read the description like a contract. The store listing should clearly state what the extension does and why it needs access. Watch for tracking, analytics or data sharing that has nothing to do with the core feature.

3. Do a permission sanity check. Ask one question for each permission: does this match the feature? If not, treat it as a red flag. Microsoft's Edge Add-ons policy says extensions must only request permissions that are essential, and asking for access for "future proofing" is not allowed.

4. Watch updates and permission creep. If an extension suddenly requests new permissions you cannot justify, it is usually safer to remove it. Treat unexpected permission changes or feature shifts as a reason to pause and ask IT.

5. Decide: approve, avoid or escalate. Approve when the vendor is credible, the purpose is clear and the permissions are tight. Avoid anything vague or over-permissioned that wants access "just in case". Escalate genuinely useful tools that touch sensitive systems, so they can be reviewed and added to an approved list.

How we help

A five-minute check works best when it is backed by sensible controls rather than left to memory. This is where our team gives clients a hand.

Through AgileSECURE, we manage browser and endpoint security with application control aligned to the ASD Essential Eight. That means risky extensions can be blocked at the source, and approved tools can be allowlisted, so staff are guided to safe choices by default.

Through AgileMANAGED, we look after your endpoints and software governance day to day. We help you reduce extension sprawl, keep an approved list current, and make sure new installs follow a clear standard instead of an impulse click. Where Microsoft 365 is part of your environment, we manage those browser and tenant controls alongside everything else.

The goal is simple. Turn extensions from a hidden risk into a managed part of your environment, without slowing your people down.

If you are not sure what your team has installed, that is a good reason to take a look. We can run a browser extension review and set up controls that fit how your business actually works.