Browser-based attacks are exploiting identity gaps in SaaS apps

At a glance

What this is: This is an analysis of six browser-based attack techniques that now target identity, sessions, OAuth grants, extensions, and stolen credentials in the browser.

Why it matters: It matters because security teams can no longer rely on email, endpoint, or IdP-only visibility when attackers are compromising SaaS access through the browser.

By the numbers:

• 2025.
• The news around extension-based compromises has been on the rise since the Cyberhaven extension was hacked in December 2024, along with at least 35 other extensions.

👉 Read Push Security's analysis of browser-based attacks and identity abuse

Context

Browser-based attack techniques are increasingly the shortest route to business applications because employees now access SaaS, cloud, and third-party services through the browser rather than through a locked-down local network. That shifts the security problem from perimeter control to identity and session control inside the browser, where phishing, OAuth abuse, extensions, and file delivery all intersect with IAM.

The key governance issue is visibility. If security teams cannot see how users authenticate, which grants they approve, which extensions run, and where sessions are hijacked, then they cannot reliably protect the identity surface that modern work depends on. Browser-level control has become a core part of NHI, human IAM, and access governance alike.

Key questions

Q: How should security teams reduce browser-based identity compromise across SaaS apps?

A: Security teams should treat the browser as an identity control point, not just a user interface. That means inventorying browser-accessed apps, limiting OAuth consent, restricting browser extensions, and using telemetry that can detect session theft and suspicious user actions before attackers turn access into data loss.

Q: Why do phishing-resistant MFA methods still leave browser-based attacks dangerous?

A: Phishing-resistant MFA can stop password capture, but it does not stop attackers who steal the resulting session, trick a user into approving an OAuth grant, or use a malicious extension. The browser remains the place where authentication turns into access, so defenders need visibility beyond the login step.

Q: What do security teams get wrong about malicious browser extensions?

A: They often treat extensions as productivity add-ons instead of privileged software with access to content, cookies, tabs, and browsing history. That mistake leaves a hidden access layer inside the browser, where a single malicious extension can steal sessions, inject content, or exfiltrate sensitive data.

Q: Who is accountable when browser-based attacks bypass app login controls?

A: Accountability sits across identity, SaaS, and security operations teams because the failure often lies in consent policy, application inventory, and session visibility rather than in one product. Frameworks such as the NIST Cybersecurity Framework 2.0 and browser-aware access governance help assign ownership for those gaps.

Technical breakdown

AiTM phishing and session hijacking in the browser

Attacker-in-the-middle phishing works by proxying the real login flow through a malicious site so the victim completes authentication against the genuine service while the attacker captures the resulting session. That means the browser, not the email inbox, becomes the decisive control point. Modern kits add code obfuscation, anti-bot checks, and hosted delivery on legitimate cloud services to evade static detection. The result is that password theft is often less important than session theft, which lets the attacker bypass many MFA implementations after authentication completes.

Practical implication: teams need browser-level session visibility and detection for suspicious login and token replay patterns, not only email filtering and IdP alerts.

Consent phishing and malicious OAuth grants

Malicious OAuth integrations exploit the authorisation step rather than the password prompt. The user approves an attacker-controlled app, and the permissions granted in that consent screen determine what the attacker can read or do. Because this bypasses the normal login sequence, phishing-resistant MFA does not prevent it. The real control gap is not authentication strength alone but the combination of unmanaged app inventory, weak tenant settings, and limited visibility into which OAuth grants exist across the enterprise.

Practical implication: security teams need central review of OAuth apps, scopes, and tenant policies across every browser-accessed service, not just the primary identity provider.

Browser extensions as a shadow access layer

Browser extensions can observe pages, modify content, capture tabs, and access cookies or history, which makes them a hidden identity and data control plane inside the browser. A malicious extension can steal sessions, inject phishing content, or exfiltrate sensitive data without touching the network perimeter. The risk rises sharply when employees can install extensions freely or when legitimate extensions are later updated with malicious code. This is why extension permissions matter as much as application permissions in browser-centric environments.

Practical implication: teams should inventory browser extensions, restrict risky permissions, and treat extension install rights as privileged access.

Threat narrative

Attacker objective: The attacker wants durable access to cloud applications and business data that can be monetized through theft, extortion, or further account abuse.

1. Entry begins when the attacker delivers a browser lure through email, messaging, ads, malvertising, or in-app messaging, then routes the victim into a fake login, consent flow, or clipboard prompt.
2. Escalation happens when the victim submits credentials, approves an OAuth grant, copies and runs malicious code, or installs a malicious extension, giving the attacker session or application-level access.
3. Impact follows when the attacker uses the stolen session, permissions, or malware foothold to dump SaaS data, hijack business apps, or monetize access through extortion and theft.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser-based identity abuse is now a governance problem, not just a detection problem. The article shows that attackers are no longer relying on network compromise alone. They are using the browser to target sessions, OAuth grants, extensions, and downloaded content, which means the identity surface has expanded into places many IAM programmes still do not monitor. Practitioners should treat browser-observed identity behaviour as part of core access governance, not as a peripheral telemetry feed.

Session theft has become the dominant failure mode because authentication is no longer the final control point. AITM phishing works by completing the user journey and then stealing the resulting session, which breaks the assumption that MFA completion equals safety. That assumption was designed for login-centric risk, but it fails when the browser itself mediates the handoff between authentication and application access. The implication is that defenders must rethink trust boundaries around session continuity, not merely credential strength.

Consent phishing exposes a control gap in tenant governance and app approval workflows. The article makes clear that attackers can bypass login protections by getting users to authorize attacker-controlled OAuth apps. That means enterprise control is only as strong as the app inventory, consent policy, and visibility into third-party integrations across all SaaS services. Security teams should not treat OAuth grants as a niche app feature; they are a material identity governance surface.

Browser extensions create an unmanaged privilege layer that most identity teams still undercount. When an extension can read pages, capture cookies, and modify content, it behaves like hidden access to the user’s session and data path. This is the browser equivalent of shadow access. Practitioners need to govern extension permissions with the same seriousness they apply to privileged accounts and connected apps.

Browser telemetry is becoming the missing source of truth for the modern identity perimeter. Browser activity shows which apps users actually touch, where MFA is absent, and where ghost logins persist even after SSO rollout. That makes browser-based visibility a practical bridge between human IAM, SaaS governance, and NHI-related access patterns. Teams that can see the browser can find hidden authentication gaps faster than teams that rely only on IdP logs or endpoint tools.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and 47% only partial visibility, according to The State of Non-Human Identity Security.
• A separate finding shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap reinforces why browser-observed identity behaviour matters, so explore NHI Lifecycle Management Guide for the controls that govern access, rotation, and offboarding.

What this signals

Browser visibility is becoming the practical bridge between identity governance and attack detection. As more authentication, consent, and session activity moves into the browser, teams will need evidence from the place where access is actually used, not just where it is issued. That shift also sharpens the case for tighter control of delegated access and third-party grants across SaaS estates.

Browser-level identity telemetry exposes the hidden parts of the access surface. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the browser is one of the few places where unmanaged grants, ghost logins, and risky extensions can be observed together.

Risk teams should expect browser compromise to keep collapsing the boundary between human IAM and NHI governance. When a stolen session or delegated grant is enough to reach business data, the same control failures that affect service accounts also apply to user-driven SaaS access. The operational response is to close visibility gaps before attackers turn them into persistent access.

For practitioners

• Inventory browser-accessed identity paths Map which SaaS apps, OAuth grants, logins, and extensions are actually used in the browser, including unmanaged and shadow IT services.
• Restrict consent and extension privilege Tighten OAuth approval policies, review delegated scopes, and limit extension installs to pre-approved items with narrow permissions.
• Detect session abuse in the browser Use browser telemetry to spot suspicious login completions, anomalous tab activity, repeated consent grants, and session replay indicators.

Key takeaways

• Browser-based attacks now exploit the identity layer inside the browser, not just the endpoint or inbox.
• OAuth consent abuse, session hijacking, and malicious extensions all bypass assumptions that traditional login controls are enough.
• Security teams need browser-level visibility, consent governance, and extension control to reduce attack surface effectively.

Key terms

• Browser-based attack: An attack that uses the browser as the main delivery and execution environment for stealing access, approving permissions, or delivering malicious content. It targets the place where users actually interact with SaaS and cloud services, which makes browser visibility central to detection and response.
• Consent phishing: A social engineering technique that tricks a user into authorising an attacker-controlled application or integration. The attacker then inherits the permissions granted in the consent screen, which can bypass normal login protections and create durable access to business data.
• Attacker-in-the-middle phishing: A phishing method that proxies a real login in order to capture the authenticated session after the victim completes sign-in. It is especially dangerous because it can defeat many MFA flows by stealing the session rather than the password.
• Browser extension privilege: The level of access a browser extension has to pages, cookies, tabs, history, and network activity. In practice, broad extension permissions can create a hidden access layer inside the browser that behaves like privileged software and can be abused for theft or injection.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Push Security: browser-based attacks and the identity controls needed to detect and respond to them. Read the original.