preloader
UNYK

When AI Browser Extensions Turn Into Data Theft: What Windows Admins Can Still Control

Laptop showing a fake AI browser extension flagged as a malicious extension, with a hooded hacker in the background, representing AI browser add-ons stealing data from Gmail and business apps.
If it feels like there is a new “AI helper” browser extension every week, that’s because there is. Unfortunately, some of them are a lot more interested in your data than your productivity. In the last few months, researchers have reported multiple campaigns of malicious Chrome extensions posing as AI assistants. Some have racked up hundreds of thousands of installs while quietly exfiltrating the content of web pages, Gmail messages, and other browser-based apps. A worrying number of these extensions target business users, going after tools like Meta Business Suite and other corporate SaaS platforms. Others disguise themselves as ChatGPT sidebars or “AI productivity helpers” while stealing session tokens and cookies so attackers can hijack accounts. So what can a Windows admin or security team actually do here – especially if your users live in Chrome and Edge all day?

The browser is the new desktop (and extensions are the new shadow IT)

For many organisations, the browser is the primary workspace:
  • Microsoft 365, Google Workspace, CRM, finance and HR tools all open in tabs.
  • SSO and MFA protecting access to sensitive SaaS apps.
  • Users jumping between a dozen web apps every hour.
AI helpers slot into that world perfectly: sidebars that summarise pages, extensions that talk to ChatGPT, plugins that auto-draft emails. They feel harmless and convenient, so people install them with very little scrutiny. The problem is that many of these tools ask for very broad permissions: “read and change all your data on all websites you visit” is practically the default. Once granted, that access lets an extension:
  • Read the content of internal SaaS apps and portals.
  • Scrape emails, support tickets, documents and chat logs.
  • Inject extra code that quietly exfiltrates that content to an attacker’s server.
From the attacker’s point of view, this is perfect: there is no need to hack your servers if a “helpful AI assistant” can just watch everything users do in the browser and send it home.

Do local admin rights matter here?

Most malicious AI extensions run entirely in the browser, in the context of the user. They don’t need local admin rights to read what’s on the screen in your SaaS apps. That’s why they are so attractive: they ride on top of normal, allowed behaviour. So where does local admin come in?
  • Bigger blast radius. If a user is also a local admin, an attacker who controls their browser has more options: drop additional malware, persist outside the browser, tamper with endpoint protection and start exploring the local file system.
  • Chaining attacks. A malicious extension or infostealer can be step one; a local privilege escalation bug on Windows can be step two to full SYSTEM control.
  • More “it’s fine, I’m an admin” installs. Users who can install anything on their machine – drivers, tools, random utilities – are usually less cautious about installing “just one more extension”.
So while these campaigns don’t depend on admin rights, they blend neatly into the same story: too much trust on the endpoint, too little control over what runs where.

Three practical steps for browser-based AI risks

You can’t fix Chrome’s entire extension ecosystem, but you can make things a lot safer on your own estate.
  1. Inventory and tame extensions. Use browser management (Chrome Enterprise policies, Edge policies, Intune, your RMM, etc.) to see which extensions are installed and where. From there:
    • Block known-bad extension IDs from recent advisories.
    • Allowlist a small set of approved AI helpers from vendors you trust.
    • Disable “install any extension from the web store” where possible.
  2. Educate on “AI-in-the-browser” risk. Make it clear to users that browser extensions are effectively software with access to their work. A short guidance page or lunch-and-learn can go a long way:
    • Prefer official web UIs for AI tools over random extensions.
    • Review permissions before installing anything.
    • Remove extensions you don’t actively use.
  3. Combine this with least privilege on the endpoint. If (or when) something bad does land in a browser, you want the endpoint to be as boringly locked down as possible:
    • Most users as standard users, not local admins.
    • Only a narrow set of apps allowed to run with admin rights.
    • Logging around elevated processes so you can spot odd behaviour.

Where Elevator for Windows fits in

At UNYK, we built Elevator for Windows to help with that last part. You can’t stop every risky browser extension from being created, but you can control what happens on your Windows endpoints when something slips through. Elevator helps you:
  • Keep users as standard users on their Windows devices.
  • Define a small list of approved executables that should run with admin rights.
  • Run those apps elevated automatically, without handing out local admin passwords.
  • Log elevation events so you know exactly which apps still depend on admin.
That way, if a malicious AI extension or infostealer does land in a user’s browser, its world stays smaller: it can’t easily turn that browser-level access into full machine control.

Related reading

If you’re looking at browser extension risk and local admin at the same time, these posts may help: If you’d like to see how Elevator behaves with two or three of your own “problem apps”, you can start a small pilot and measure how far you can reduce local admin without breaking anything: Start Free 30-Day Trial Request Elevator Pricing
Share the Post:

Related Posts