The extraction of passwords, cookies, and session material from browsers or local storage after an endpoint compromise. These artifacts often function like active credentials, so their theft can enable immediate reuse, account takeover, or lateral access without additional authentication.
Expanded Definition
Browser credential harvesting is the post-compromise collection of browser-stored secrets such as passwords, cookies, refresh tokens, and autofill data. In NHI security, the important distinction is that many of these artifacts behave like live credentials, not static records, so theft can bypass normal login flows and session reauthentication. This matters because browser storage often aggregates identity material from human users and AI-enabled tools in one place, creating a high-value target after endpoint compromise. Guidance varies across vendors on whether cookies, local session state, and saved passwords should be treated as separate categories, but the operational risk is consistent: any reusable browser artifact can become an access path. The most common misapplication is treating browser theft as a user hygiene issue rather than an identity compromise, which occurs when defenders ignore the privilege carried by the stolen session itself.
For the broader secret-handling context, see Ultimate Guide to NHIs — Static vs Dynamic Secrets and the OWASP Non-Human Identity Top 10, which frames secret exposure as an identity control failure rather than a simple data-loss event.
Examples and Use Cases
Implementing browser-focused controls rigorously often introduces friction for legitimate users, so organisations must weigh faster access against the cost of tighter session protection and endpoint hardening.
- A threat actor compromises a laptop, then extracts browser cookies to reuse an active SaaS session without needing the password.
- An attacker collects saved passwords from the browser profile and pivots into cloud consoles, then uses those accounts to hunt for additional secrets, a pattern consistent with Guide to the Secret Sprawl Challenge.
- A developer signs into GitHub and a CI/CD portal in the same browser, and harvested session material enables source code access plus pipeline manipulation, echoing the risk patterns in the CI/CD pipeline exploitation case study.
- A browser extension or infostealer pulls tokens from local storage, then reuses them against APIs that are supposed to be protected by service-level identity controls.
- Mobile or desktop browser sync spreads compromised credentials across devices, which can multiply the blast radius when a single endpoint is infected.
Because cookies and tokens often outlive a password change, teams should interpret browser-based theft alongside standards such as NIST SP 800-63 Digital Identity Guidelines, which stress stronger session and authenticator assurance practices. NHIMG research also shows that 23.7% of organisations share secrets through insecure methods such as email or messaging applications, reinforcing how quickly stolen browser material can be operationalised after initial compromise.
Why It Matters in NHI Security
Browser credential harvesting is dangerous because it converts one endpoint compromise into many identity compromises. In NHI programs, the stolen artifact is often not just a password but an active bearer token, session cookie, or cached authentication material that can be used immediately against cloud apps, CI/CD systems, or AI tools. That makes it especially relevant where access is federated and where non-human workflows rely on short-lived but reusable secrets. NHIMG’s 2024 Non-Human Identity Security Report found that 88.5% of organisations say their NHI IAM practices lag behind or merely match their human IAM efforts, which helps explain why browser-exposed artifacts are still underestimated.
The security impact is larger than account takeover. Harvested browser material can expose deployment consoles, cloud management portals, and automation platforms, enabling lateral movement and secret discovery at machine speed. A mature response therefore includes endpoint hardening, session binding, rapid revocation, conditional access, and removal of sensitive secrets from browser storage wherever possible. The 2024 Non-Human Identity Security Report and the 230M AWS environment compromise both illustrate how quickly exposed credentials can translate into large-scale access. Organisations typically encounter the full cost of browser credential harvesting only after a workstation infection or infostealer event, at which point session theft becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Browser-stored secrets and sessions are identity artifacts OWASP flags as high-risk. |
| NIST SP 800-63 | Guidelines cover digital identity assurance and session security relevant to browser artifacts. | |
| NIST CSF 2.0 | PR.AC-1 | Access control and identity validation are directly impacted by stolen browser credentials. |
Reduce browser-exposed secrets, revoke reusable sessions fast, and treat harvested cookies as credential theft.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org