Browser extension risk exposes a widening NHI governance gap

At a glance

What this is: This analysis argues that browser extensions have become an under-governed identity-adjacent attack surface, with malicious add-ons capable of stealing session material and other sensitive data at scale.

Why it matters: For IAM and NHI teams, extension risk matters because it turns browser permissions and session tokens into a practical path for credential abuse, lateral access, and data exfiltration.

By the numbers:

• A broader campaign targeted at least 35 Chrome extensions.

👉 Read Obsidian Security's analysis of malicious browser extension risk and exfiltration paths

Context

Browser extensions are a control gap because they sit between the user, the browser session, and the SaaS applications that now hold enterprise work. When an extension can read page data, session tokens, or cookies, it effectively becomes an identity risk rather than just an endpoint nuisance, which is why existing IAM visibility does not fully cover the exposure surface.

The article centers on the December 2024 Chrome extension breach and the broader problem of malicious extensions being published, updated, or taken over after users have already trusted them. That pattern is typical of modern NHI and session abuse: the dangerous component is often not the code alone, but the permissions and credentials it can reach once installed.

Key questions

Q: How should security teams govern browser extensions in enterprise environments?

A: Treat browser extensions as identity-adjacent software with access to live sessions and sensitive data. Build an inventory, approve only business-justified extensions, and review permissions with the same discipline used for privileged access. If an extension can read SaaS content or session material, it belongs in a governed control set, not a user-only preference area.

Q: Why are browser extensions a problem for IAM and NHI teams?

A: Because extensions can operate inside authenticated sessions and reach cookies, tokens, and page data that IAM may not directly see. That creates a blind spot where a user remains properly authenticated while the extension acts as a hidden access path. NHI teams should treat this as session abuse risk, not only endpoint risk.

Q: What is the difference between browser extension risk and normal SaaS app risk?

A: SaaS app risk usually comes from direct application access, while extension risk comes from code running inside the browser that can intercept or reuse that access. The extension may never become a separate application account, yet it can still capture the material needed to impersonate the session. That makes detection and revocation harder.

Q: When should organisations disable or block browser extensions?

A: Block extensions when they have no clear business purpose, request broad access to content or sessions, or come from publishers that cannot be verified. Organisations should also disable extensions in high-risk roles and sensitive SaaS workflows where token theft would create immediate blast radius. The decision should be based on privilege, not convenience.

Technical breakdown

How malicious browser extensions become credential theft tools

Browser extensions can request broad permissions to read and modify web content, access browser storage, and inspect active tabs. Once installed, a malicious extension can capture session cookies, bearer tokens, form inputs, and page content without needing a traditional malware payload. Store review helps but does not eliminate risk, because attackers can mimic legitimate functionality, compromise existing extensions, or push malicious updates after approval. The technical risk is amplified when the browser is the primary interface to SaaS, because the extension sits inside the trust boundary of the authenticated session.

Practical implication: Security teams should treat extension permissions as privileged access and review them with the same seriousness as browser-session controls.

Why browser visibility matters more than app discovery alone

Traditional app discovery is often email or network driven, but browser extensions do not reliably generate those signals. They leave their clearest traces inside the browser itself, which means an organisation can have little or no inventory even when dozens of extensions are active across the fleet. The result is a blind spot that undermines risk scoring, entitlement review, and incident response. Visibility is not just a reporting exercise here, because you cannot govern what you have not catalogued. In NHI terms, an unmanaged extension can act like a hidden workload identity with access to live sessions and data.

Practical implication: Build a browser-level inventory and map each extension to users, permissions, and business purpose before attempting enforcement.

Why session tokens and cookies are high-value targets

Session tokens and cookies are attractive because they often bypass the need for primary credentials after authentication has already succeeded. If an extension can extract them, the attacker may inherit the user’s active access without triggering a password reset or MFA prompt in the moment. That makes browser compromise especially dangerous in SaaS-heavy environments, where sessions often represent the most practical form of access. The failure mode is identity reuse through the browser, not just data theft, which is why this topic belongs in NHI governance and not only in endpoint defense.

Practical implication: Prioritise token hygiene, session revocation, and browser containment controls for the accounts that reach sensitive SaaS systems.

Threat narrative

Attacker objective: The attacker wants to steal authenticated session material and use it to access enterprise SaaS data without needing the original login flow.

1. Entry via phishing or extension takeover that lets attackers publish or update a malicious browser extension.
2. Escalation through extension permissions that expose cookies, session tokens, and page data inside the authenticated browser session.
3. Impact through exfiltration of sensitive data and reuse of stolen session material for downstream SaaS access.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser extensions now function as shadow NHI endpoints: they are software entities with execution authority, access to live sessions, and the ability to move sensitive data out of the browser. That changes the governance question from simple software approval to identity control over what code may act on behalf of a user. Teams that still treat extensions as low-risk add-ons are underestimating their role in session abuse and SaaS compromise.

Visibility is the first control, but it is not the finish line: cataloguing extensions only tells you what exists. The real governance work is to classify privilege, tie each extension to a business need, and remove anything that can access data beyond its function. In practice, extension management should look more like entitlement governance than software hygiene.

Session material is the new abuse primitive: when attackers can steal cookies or tokens, they often sidestep the controls that protect primary credentials. That means browser security, IAM, and NHI governance must align around revocation speed, token lifetimes, and the sensitivity of SaaS-connected sessions. The control model has to assume that authenticated browser sessions can be replayed.

Extension takeover risk exposes trust debt in browser ecosystems: even a benign extension can become malicious after acquisition, compromise, or a poisoned update. That makes third-party trust in browser stores and extension publishers an ongoing governance issue, not a one-time approval decision. Practitioners should build continuous review into extension trust decisions rather than rely on initial vetting alone.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
• For a deeper model of identity exposure and remediation, see NHI Lifecycle Management Guide and align extension governance with lifecycle controls.

What this signals

Extension governance is becoming part of NHI lifecycle management: once a browser add-on can act inside a live session, the control problem shifts from installation approval to continuous entitlement review, revocation, and usage validation. Organisations that already struggle to inventory machine identities will recognise the same pattern here, only faster and closer to the user session.

The practical signal for security programmes is that browser control, SaaS identity control, and session protection can no longer live in separate workstreams. Teams should align extension policy with least privilege, token lifetime, and access review processes, then map the control set to the NIST Cybersecurity Framework 2.0 where governance and access management intersect.

For practitioners

• Inventory browser extensions at the browser layer Create a fleet-wide catalogue of installed extensions, then map each one to user groups, permissions, publisher identity, and business justification. Do not rely on email telemetry or app-discovery tools alone, because extensions often leave no external install signal.
• Rank extensions by privileged permissions Prioritise add-ons that can read web content, inspect tabs, access storage, or interact with SaaS sessions. Review any extension with access to cookies, tokens, or sensitive form data as a high-risk identity dependency, not just a productivity tool.
• Revoke and rotate session material quickly Define a rapid response playbook for suspected extension compromise that includes session revocation, token invalidation, and user re-authentication. Coordinate this with IAM so stolen browser sessions do not remain valid after detection.
• Restrict extension installation paths Limit who can install extensions, require allow-listing for business-critical browsers, and block categories that are not needed for work. Pair policy enforcement with user education so risky permissions are not granted casually.

Key takeaways

• Malicious browser extensions are a governance problem because they can operate inside authenticated sessions and steal the material that keeps SaaS access alive.
• The scale of extension abuse is material, with at least 35 extensions and about 2.6 million users affected in the campaign discussed here.
• Practitioners should respond with browser-level inventory, permission-based risk ranking, and fast session revocation procedures.

Key terms

• Browser Extension Abuse: Browser extension abuse occurs when a trusted add-on is used to capture data, alter browser behaviour, or reuse authenticated sessions. In enterprise environments, the risk is not just malware delivery but silent access to cookies, tokens, and page content inside the user’s trusted browser session.
• Session Material: Session material is the data that keeps an authenticated browser session alive, such as cookies, bearer tokens, and other reusable authentication artifacts. In NHI governance, session material matters because stealing it can bypass password and MFA controls without needing the original login flow.

Deepen your knowledge

Browser extension risk and session abuse are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to govern browser-mediated access and shadow identity exposure, it is worth exploring.

This post draws on content published by Obsidian Security: The Hunt for Malicious Browser Extensions: What Security Teams Need to Know. Read the original.