Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Browser-based attacks and identity gaps: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Browser-based attacks are now the main path into business apps, with phishing, ClickFix, malicious OAuth grants, extensions, and stolen credentials all converging in the browser, according to Push Security. The security boundary has shifted from endpoint and email controls to browser-visible identity and session behaviour, making app access governance and detection the critical control plane.

NHIMG editorial — based on content published by Push Security: browser-based attacks and the identity controls needed to detect and respond to them

By the numbers:

  • The news around extension-based compromises has been on the rise since the Cyberhaven extension was hacked in December 2024, along with at least 35 other extensions.

Questions worth separating out

Q: How should security teams reduce browser-based identity compromise across SaaS apps?

A: Security teams should treat the browser as an identity control point, not just a user interface.

Q: Why do phishing-resistant MFA methods still leave browser-based attacks dangerous?

A: Phishing-resistant MFA can stop password capture, but it does not stop attackers who steal the resulting session, trick a user into approving an OAuth grant, or use a malicious extension.

Q: What do security teams get wrong about malicious browser extensions?

A: They often treat extensions as productivity add-ons instead of privileged software with access to content, cookies, tabs, and browsing history.

Practitioner guidance

  • Inventory browser-accessed identity paths Map which SaaS apps, OAuth grants, logins, and extensions are actually used in the browser, including unmanaged and shadow IT services.
  • Restrict consent and extension privilege Tighten OAuth approval policies, review delegated scopes, and limit extension installs to pre-approved items with narrow permissions.
  • Detect session abuse in the browser Use browser telemetry to spot suspicious login completions, anomalous tab activity, repeated consent grants, and session replay indicators.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

  • How each browser attack technique works at the page, session, and control-bypass level
  • Examples of the browser and endpoint signals Push Security uses to detect suspicious activity
  • The practical differences between phishing, ClickFix, consent phishing, extensions, and stolen credentials in live environments
  • Why browser-based visibility changes incident response for SaaS access abuse

👉 Read Push Security's analysis of browser-based attacks and identity abuse →

Browser-based attacks and identity gaps: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Browser-based identity abuse is now a governance problem, not just a detection problem. The article shows that attackers are no longer relying on network compromise alone. They are using the browser to target sessions, OAuth grants, extensions, and downloaded content, which means the identity surface has expanded into places many IAM programmes still do not monitor. Practitioners should treat browser-observed identity behaviour as part of core access governance, not as a peripheral telemetry feed.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and 47% only partial visibility, according to The State of Non-Human Identity Security.
  • A separate finding shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when browser-based attacks bypass app login controls?

A: Accountability sits across identity, SaaS, and security operations teams because the failure often lies in consent policy, application inventory, and session visibility rather than in one product. Frameworks such as the NIST Cybersecurity Framework 2.0 and browser-aware access governance help assign ownership for those gaps.

👉 Read our full editorial: Browser-based attacks are exploiting identity gaps in SaaS apps



   
ReplyQuote
Share: