Browser privilege drift is the gap between what an extension says it does and what its permissions allow it to do. In practice, a simple utility can evolve into a broad access layer for browsing data, requests, and stored state, which makes governance and offboarding essential.
Expanded Definition
Browser privilege drift describes the mismatch between a browser extension’s stated purpose and the breadth of access granted by its permissions. In NHI security, that matters because extensions can observe pages, modify requests, read stored state, and interact with authenticated sessions in ways that exceed the original design intent. The issue is not only the extension itself, but the long-tail exposure created when users install, update, or retain add-ons without revisiting permissions or ownership. Guidance across the industry varies, but the core governance principle is consistent: access should stay tightly aligned to the minimum operational need, similar to how OWASP Non-Human Identity Top 10 treats excess privilege as a standing risk.
Browser privilege drift is often confused with ordinary software updates, yet the security problem is different. A feature update may silently expand effective access without a matching review of risk, ownership, or offboarding. The most common misapplication is treating extensions as harmless productivity tools, which occurs when teams approve broad permissions for convenience and never revalidate them after role changes or vendor changes.
Examples and Use Cases
Implementing controls against browser privilege drift rigorously often introduces operational friction, requiring organisations to weigh user convenience against session exposure, data visibility, and administrative overhead.
- A password manager extension is granted access to all websites, then later gains the ability to inspect form data on internal admin portals, creating a broader trust zone than the initial deployment review assumed.
- A support tool starts as a simple ticket helper, but after updates it can read page content, rewrite requests, and export browser state, so offboarding must cover both the user and the extension lifecycle.
- A developer installs a web automation add-on for testing, then keeps it active on a production profile where it can see tokens, dashboards, and authenticated application traffic.
- A security team reviews the risk using the Ultimate Guide to NHIs — Key Challenges and Risks alongside the extension permission model, because browser extensions can behave like non-human actors with persistent access.
- During incident response, teams compare browser-side permissions with broader identity governance patterns and cross-check incident patterns such as the Salesloft OAuth token breach, where drift and overbroad access amplified impact.
Browser privilege drift also appears when enterprise app marketplaces allow approved extensions to remain installed after the business case has expired, leaving dormant but capable access paths inside managed browsers.
Why It Matters in NHI Security
Browser privilege drift matters because it creates a quiet, persistent access layer that is hard to inventory and easy to ignore until it is exploited. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, a visibility gap that mirrors how poorly many teams track extension-level access over time. When permissions are not reviewed, a browser add-on can become a covert bridge into data, tokens, and authenticated workflows, even if the original use case was narrow. This makes governance, approved-extensions lists, and periodic permission recertification essential controls rather than optional hygiene.
From a security and audit perspective, browser privilege drift undermines least privilege, offboarding, and zero trust assumptions. It can also complicate incident response because the affected surface is not just the browser user, but every application session the browser can reach. Practitioners should map extension permissions to identity ownership, business justification, and decommissioning steps, then treat suspicious permission expansion as a governance event. Organisations typically encounter the consequences only after a token theft, data leakage, or account abuse, at which point browser privilege drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Excess browser extension permissions mirror overprivileged NHI access and secret exposure risk. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management applies to browser extensions that can reach identities and data. |
| NIST Zero Trust (SP 800-207) | SC.L1 | Zero Trust limits implicit trust, including browser-side tools that can alter or observe requests. |
Inventory browser extensions, review permissions, and remove any access that exceeds business need.
