Beyond Shadow AI: The Data Exfil Risks of GenAI Browser Extensions

Just caught the LayerX report highlighted in The Hacker News, and it confirms a major blind spot we've been worrying about. We spend endless cycles blocking direct GenAI API connections, but users are installing AI extensions that act as a proxy, completely bypassing our DLP controls.

The core issue is the aggressive permission scope these extensions request. Many require `` host permission or scripting access to function. While legitimate for a summarizer, it gives the extension full read access to the DOM—including session cookies and tokens in internal tools.

I've started auditing our environment for high-risk extension IDs. If you're on Windows endpoints, you can query the registry to see what's actually installed in Chrome:

Get-ChildItem "HKCU:\Software\Google\Chrome\Default\Extensions" -ErrorAction SilentlyContinue | ForEach-Object {
    $id = $_.PSChildName
    $version = (Get-ItemProperty "$($_.PSPath)\*").(Get-ChildItem "$($_.PSPath)" | Select-Object -First 1).PSChildName
    Write-Output "Extension ID: $id, Version: $version"
}

Once you have the IDs, cross-reference them with the Chrome Web Store to verify publishers. We found several 'AI helper' extensions published by generic accounts with zero commit history.

On the detection side, we're seeing these extensions trigger exfil alerts when they scrape data to send to external inference APIs. Here is a KQL snippet for Sentinel/MDE to hunt for high-volume egress from browser processes:

DeviceNetworkEvents
| where InitiatingProcessFileName in~ ('chrome.exe', 'msedge.exe', 'firefox.exe')
| where RemotePort == 443
| where SentBytes > 500000 
| summarize TotalBytes=sum(SentBytes) by DeviceName, RemoteUrl
| where TotalBytes > 10000000

How is everyone handling this? Are you flat-out blocking all AI extensions via Group Policy, or are you trying to allow-list specific functionality?