Last week, a vulnerability in ChatGPT for Google Sheets — a plugin with over 185,000 downloads — was disclosed on Hacker News. Through an indirect prompt injection flaw, attackers could silently exfiltrate entire workbooks across a user’s account, harvest credentials through phishing overlays, and hijack the extension interface. The kicker? It worked even when users had explicitly disabled automatic edits.
This is not an isolated incident. It is the latest symptom of a systemic blind spot that most development teams and business leaders are ignoring: the AI browser extension layer sits outside your existing security controls, and it is growing faster than your ability to govern it.
TL;DR
- 67% of AI browser extensions actively collect user data, and 5% are independently classified as malicious — yet 99% of enterprise users have at least one extension installed
- The ChatGPT for Google Sheets breach (185,000 downloads) demonstrated that indirect prompt injection can exfiltrate entire workbooks, even with safety settings enabled
- 900,000 enterprise installations across 20,000 tenants were compromised by fake AI assistant extensions harvesting ChatGPT and DeepSeek conversation histories
- Traditional DLP and network security tools operate below the browser layer, leaving extension activity invisible — 95% of organisations reported a browser-originated security incident in the past year
- Organisations need browser-native security controls, extension allowlists, and formal AI tool governance policies immediately
The Numbers Paint a Grim Picture
The Cloud Security Alliance published a research note in April 2026 that should have set off alarm bells in every IT department. Here are the headline figures:
- 99% of enterprise users have at least one browser extension installed
- 1 in 6 enterprise users already has at least one AI-specific extension
- 67% of AI Chrome extensions actively collect user data
- 16.3% of AI extensions have a known CVE (compared to 10.8% across all extensions)
- AI extensions are 3× more likely to have access to cookies — meaning session tokens and authentication data
- 40% of files uploaded to AI platforms contain PII or payment card data
- 77% of employees paste data into generative AI tools, with 82% doing so through personal accounts
That last statistic is worth sitting with. Your employees are copying sensitive business data into AI tools through personal accounts that your corporate security stack cannot see, monitor, or control.
How the Attacks Actually Work
There are two distinct attack patterns emerging, and both exploit the fundamental trust model of browser extensions.
Pattern 1: Malicious Extensions Masquerading as Productivity Tools
In January 2026, Microsoft’s security team uncovered a campaign affecting nearly 900,000 installations across more than 20,000 enterprise tenants. Two extensions — “Chat GPT for Chrome with GPT-5, Claude Sonnet and DeepSeek AI” (600,000+ users) and “AI Sidebar with Deepseek, ChatGPT, Claude and more” (300,000+ users) — were quietly exfiltrating complete ChatGPT and DeepSeek conversation histories every thirty minutes to a command-and-control server.
These were not crudely built tools. They offered genuine AI functionality, passed Chrome Web Store review, and looked entirely legitimate. The exfiltration traffic was encrypted HTTPS to domains with clean reputation scores — indistinguishable from normal cloud synchronisation in your network logs.
Pattern 2: Indirect Prompt Injection Through Legitimate Extensions
The ChatGPT for Google Sheets vulnerability is arguably more concerning because the extension itself was not malicious. PromptArmor’s disclosure showed that attackers could embed hidden prompt injections (white text in imported spreadsheets) that, when processed by the extension, triggered execution of attacker-controlled scripts. The proof of concept exfiltrated twelve spreadsheets simultaneously, including workbooks discovered through links within the initially stolen files.
This is a supply chain attack that does not require compromising any software. It weaponises the data your team already works with.
Why Your Existing Security Stack Cannot See This
Here is the uncomfortable truth: traditional enterprise security was not built for this threat model.
Network-layer DLP monitors traffic between your infrastructure and the internet. Browser extensions operate within the browser process itself — they can read page content, modify DOM elements, and exfiltrate data through encrypted channels that look identical to legitimate API calls.
Endpoint detection and response (EDR) tools watch for suspicious process behaviour, file system changes, and known malware signatures. A browser extension making HTTPS requests to a cloud endpoint triggers none of these heuristics.
Identity and access management (IAM) controls who can access what systems. But when an employee installs a personal browser extension that reads their authenticated sessions, your IAM layer has no visibility into what happens next.
Palo Alto Networks’ 2026 browser security research confirmed what many suspected: 95% of organisations experienced a security incident originating in the browser, yet most continue to rely on controls designed for network and endpoint layers that have no meaningful visibility into browser-session activity.
The Shadow AI Dimension
This problem is compounded by shadow AI usage. The CSA research found that 68% of corporate logins to AI platforms bypass SSO entirely, and generative AI now accounts for roughly one-third of all corporate-to-personal data movement.
In practical terms: your developers, product managers, and marketing team are copying proprietary data into AI tools that your security team does not know about, through extensions your IT department did not approve, using personal accounts your IAM system cannot govern. And 26% of enterprise extensions are sideloaded outside official stores entirely, with over half of extension publishers identifiable only by Gmail addresses.
This is not a hypothetical risk. It is happening right now in your organisation.
What Your Team Should Do This Week
1. Audit Your Extension Landscape
Use your browser management tools (Chrome Enterprise, Edge for Business) to inventory every extension installed across your organisation. Flag all AI-specific extensions immediately. You will almost certainly be surprised by what you find.
2. Implement an Extension Allowlist
Move from a default-allow to a default-deny posture for browser extensions. Maintain a vetted allowlist of approved extensions, and require justification for any additions. This is table stakes in 2026.
3. Deploy Browser-Native DLP
Traditional network DLP cannot see what browser extensions do. Invest in browser-layer security that can monitor copy-paste interactions, extension data access patterns, and unusual traffic from browser processes. Solutions exist from multiple vendors — the key is operating at the browser layer, not below it.
4. Establish AI Tool Governance
Create a formal policy that covers which AI tools are approved for business use, what data classifications are permitted in AI tools, whether personal accounts are acceptable for business AI usage, and how new AI tools are evaluated and approved. Make this policy enforceable through technical controls, not just documentation.
5. Extend Zero Trust to the Browser
Your zero-trust architecture likely stops at the application layer. Browser sessions — particularly those with AI extensions — need the same trust verification, continuous authentication, and least-privilege access that you apply to your infrastructure.
The Bigger Picture
AI browser extensions are a microcosm of a larger challenge: the AI tooling explosion is outpacing security governance. Every week, new AI-powered productivity tools appear that promise to summarise your emails, analyse your spreadsheets, or write your code. Each one requires access to sensitive data to function. Each one represents a trust decision that most organisations are making implicitly rather than deliberately.
At REPTILEHAUS, we work with development teams and businesses across Dublin and beyond to build secure, production-ready applications. Increasingly, that conversation includes how AI tools integrate with existing workflows — and where the security boundaries need to sit. If your team is adopting AI tools (and it almost certainly is, whether you know it or not), the extension layer deserves the same scrutiny you give to your API endpoints, your CI/CD pipeline, and your cloud infrastructure.
The browser is no longer just a window to the web. It is a runtime environment where your most sensitive data meets your least governed software. Act accordingly.
Need help assessing your AI security posture or building secure integrations? Get in touch with our team.
📷 Photo by Zulfugar Karimov on Unsplash
