Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Browser extensions and runtime trust gaps: what IAM teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Browser extensions masquerading as TikTok downloaders operated legitimately for 6 to 12 months before adding covert tracking and remote configuration, and LayerX Security says the campaign has affected more than 130,000 users across Chrome and Edge. The security problem is not install-time validation alone, but runtime behaviour that can change after trust is granted.

NHIMG editorial — based on content published by LayerX Security: LLMjacking-style browser extension campaign analysis involving TikTok downloader clones

By the numbers:

Questions worth separating out

Q: How should security teams govern browser extensions that run inside authenticated sessions?

A: Security teams should govern browser extensions as runtime software assets that can observe and affect authenticated sessions.

Q: Why do browser extensions create identity and access risk beyond normal endpoint software?

A: Browser extensions sit inside the user’s active session, so they can see behaviour, collect telemetry, and influence requests in a context that already has trust.

Q: What breaks when browser extension reviews only check install-time permissions?

A: Install-time reviews fail when the extension can change behaviour later through remote configuration or cloned replacement listings.

Practitioner guidance

  • Inventory extensions as governed software assets Map all browser extensions in managed environments, including those installed outside policy.
  • Block remote configuration paths for unapproved add-ons Flag extensions that retrieve JSON, script, or control data from external domains.
  • Monitor extension behaviour after installation Track network destinations, DOM interaction, and permission drift over time rather than relying on marketplace validation alone.

What's in the full article

LayerX Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • Indicator lists for the malicious extension family, including named extension IDs and related domains
  • Campaign structure details showing how cloned listings, screenshots, and “Featured” badges were used to build trust
  • Technical notes on remote configuration endpoints and how they altered extension behaviour after installation
  • Recommended detection themes for browser teams that need to hunt for suspicious network activity and DOM manipulation

👉 Read LayerX Security's analysis of the TikTok downloader extension campaign →

Browser extensions and runtime trust gaps: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Browser extensions are part of the identity attack surface, not just the endpoint stack. When an extension runs inside a signed-in browser, it can observe session context, collect behavioural signals, and influence requests after trust has already been granted. That means identity teams cannot treat browser-installed software as outside governance simply because it is not a user account or a service account. The practical conclusion is that browser runtime behaviour now belongs in identity-adjacent risk management.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • A further 47% of organisations report only partial visibility into those third-party OAuth connections, which leaves hidden trust paths in place.

A question worth separating out:

Q: What should organisations do when a browser extension appears legitimate but behaves differently over time?

A: They should remove the assumption that store metadata is proof of safety and treat the extension as a monitored, revocable component. Investigate whether it contacts unknown domains, alters functionality after installation, or shares a code family with other suspicious listings. If those signals exist, containment should happen before the extension keeps operating in managed browsers.

👉 Read our full editorial: Browser extensions can become long-lived identity footholds



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Browser extensions are part of the identity attack surface, not just the endpoint stack. When an extension runs inside a signed-in browser, it can observe session context, collect behavioural signals, and influence requests after trust has already been granted. That means identity teams cannot treat browser-installed software as outside governance simply because it is not a user account or a service account. The practical conclusion is that browser runtime behaviour now belongs in identity-adjacent risk management.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • A further 47% of organisations report only partial visibility into those third-party OAuth connections, which leaves hidden trust paths in place.

A question worth separating out:

Q: What should organisations do when a browser extension appears legitimate but behaves differently over time?

A: They should remove the assumption that store metadata is proof of safety and treat the extension as a monitored, revocable component. Investigate whether it contacts unknown domains, alters functionality after installation, or shares a code family with other suspicious listings. If those signals exist, containment should happen before the extension keeps operating in managed browsers.

👉 Read our full editorial: Browser extensions can become long-lived identity footholds



   
ReplyQuote
Share: