Browser Security Risks and Overtrust: Key Findings
Over 85 % of daily work is conducted through web browsers, according to the State of Workforce Security.
This makes browser security a critical enterprise concern.
Yet, most companies still rely on endpoint tools that can’t see what happens there.
That blind spot is costing organizations more than they realize.
“Most data breaches today don't happen because systems are hacked,” says Nishant Sharma, Head of Cybersecurity Research at SquareX.
“They happen because browsers are trusted more than they should be.”
In Episode No. 122 of the DesignRush Podcast, Sharma explains how invisible browser-level decisions are reshaping organizational trust, user safety, and competitive readiness.
Sharma draws on research into browser architecture, extensions, and embedded AI tools.
He highlights a growing gap in how organizations approach modern threats, especially those hiding in the tools workers use every day, and also shares:
- Why browser-based work has become the most overlooked attack surface
- How everyday tools like extensions and AI introduce invisible risks
- Why legacy security tools miss threats rooted in architecture and behavior
Episode Chapter Summary
For a quick overview of the full episode, here are key moments from the conversation:
- 01:18 – Why most breaches begin with browser trust, not hacking
- 06:03 – How architectural flaws differ from code bugs in browser design
- 09:20 – How extensions quietly hijack user data and permissions
- 13:46 – Why traditional security tools miss browser-native threats
- 25:35 – OAuth abuse explained: persistent permissions and long-term access risks
If you're unsure where your organization's real cyber risk lives, this episode brings much-needed clarity.
Listen to the full episode now on Spotify or watch on YouTube to protect your business from the threats you can’t see.
1. Mistake: Trusting Extensions Just Because They’re in the Chrome Store
Browser extensions are among the most commonly installed tools in the workplace, often without any security oversight.
Users install them to speed up workflows, customize websites, or automate simple tasks.
But under the hood, many extensions do far more than advertised.
“Ninety to ninety-eight percent of people don’t understand the power of extensions and the kind of damage that they can do,” Sharma says.
“Three percent of the code will be doing the functionality that it advertises, but then 97% of the code is actually taking away all of your history.”
The most dangerous part is how these extensions don’t need to be malicious at the start.
Attackers often buy legitimate, popular extensions and quietly push malicious updates.
And so, what may have started as a helpful tool can quickly turn into a surveillance platform without the user ever realizing it.
That’s why it’s critical to vet extensions like you would any software vendor, limit what gets installed, and monitor for changes in ownership or behavior over time.
2. Oversight Gap: OAuth Access That Never Expires
Many teams use Google logins for convenience. But few understand the long-term risk of OAuth access.
Once a user grants access to a third-party app, that permission often persists forever unless manually revoked.
“People just click 'Allow,' trusting Google,” Sharma explains.
“It'll remain there till the time you revoke it. And most people don't know it... revoking it is actually out of the question.”
This creates a silent attack vector where malicious actors can harvest email, calendar, and file access long after a user has forgotten the interaction.
Attackers can take advantage of those lingering permissions to access or reset user accounts.
That’s why it’s important to regularly revoke access to unused apps and make sure users understand what they’re consenting to when approving OAuth scopes.
3. Blind Spot: Traditional Security Tools Can’t See Browser Threats
Most enterprise security stacks are built around endpoints, networks, and devices.
But modern attacks increasingly live entirely within the browser, never touching the file system or triggering antivirus alerts.
“They'll never touch your machine, your hard disk,” Sharma explains.
“The conventional way of protecting them (your antiviruses and your endpoint detection and response systems) they are not able to look into it.”
Encrypted payloads and in-browser execution mean attackers can bypass traditional defenses without detection.
The risk? Invisible attacks bypass traditional defenses.
To prevent this, implement browser-level visibility and defense systems.
4. Risk Amplifier: AI Tools That Shortcut Trust
The rise of AI-powered agents has created a new category of exposure.
Users upload sensitive documents or grant browser control to extensions without realizing how much access they’ve handed over.
“You go there and you're uploading the file and you're downloading the file then... you’re going to double click on the file that is downloaded," Sharma says.
Sharma points to tools that mimic automation agents, where AI plugins can control browser behavior, access inboxes, or summarize files—often with minimal user oversight.
What's at stake? Productivity-enhancing tools become gateways for data loss.
So, be sure to prioritize verified vendors. Add AI policy guardrails. Keep humans in the loop for sensitive actions.
This concern is already playing out across the industry, as browser vendors and AI leaders race to redefine how autonomous agents interact with everyday workflows:
5. Behavior Shift: Security Starts With Awareness, Not Just Tools
Technology alone can’t solve what behavior keeps breaking. Many breaches start not with a vulnerability, but with a click.
“There are certain things that are easy to do just by changing your behaviors, just by changing your habits,” Sharma says.
From clicking on malicious ads to using free online converters, users often bypass security policies for speed or convenience.
“It will open as a PDF, but then it is also doing something else,” he adds.
The worrying outcome? Familiar workflows masking serious threats.
To keep protected, normalize digital hygiene. Train teams to pause, question, and verify.
About the Guest
Nishant Sharma
Head of Cybersecurity Research, SquareX
Sharma leads browser-focused cybersecurity research at SquareX, uncovering how real-world behavior and architectural flaws drive modern threats. His work helps enterprises shift from reactive defense to proactive trust-building across browser and AI environments.
Why Browser-Native Awareness Must Catch Up Now
Browser risk is no longer niche.
As AI accelerates and web apps become the workplace, organizations must treat browser security as core infrastructure.
“Just like any great technical advancement, it also has a yin and yang," says Sharma.
It is completely dependent on what part you're using it and which part eventually wins.”
Those who act early move faster, build trust, and unlock AI’s potential safely.
Watch the full conversation on YouTube or listen on Spotify.
Check out DesignRush’s Top Cybersecurity Firms to find expert partners.
