Get your copy of the SaaS Attacks Report: 2024 edition

Ready to help

What data does the Push browser extension collect?

In this section:

Overview

Once installed, the Push browser extension sits in the background of your employees’ browsers and collects the following information:

  • Browser name

  • Browser version

  • Device OS

  • Push browser extension version

  • The extension enrollment method (via a managed deployment or self-enrollment)

  • When the extension last checked in

When employees log into SaaS applications, the extension collects:

  • The URL of the platform

  • The account username

  • The login method

  • If a password is used, Push generates a shortened salted hash of the password, which is stored locally in the browser and never sent anywhere.

  • Their MFA registration status and MFA method, for supported apps

Using the shortened salted hash of the password, Push can then perform password comparisons and analysis, such as blocking SSO passwords from being entered on websites that do not belong to the identity provider, or surfacing leaked and shared account credentials. All comparisons are done locally in the browser, not server-side.

Depending on your configured security controls, the extension will also collect data on:

  • When employees visit a blocked URL

  • When employees enter their SSO password on a site that does not belong to the SSO provider

  • When employees visit a site that is using phishing tools

  • When employees visit an app that displays an app banner and (where applicable) when they acknowledge a banner message to dismiss it or submit a reason to use the app

If the extension observes an employee visiting an OAuth consent screen for an Microsoft 365 or Google Workspace app integration, it also collects basic telemetry about the integration that Push uses to research the integration, such as establishing whether it has a verified publisher. The data the extension collects in this case is:

  • The platform the app was observed on

  • The app identifier

  • The grant type requested

  • The reply URL

  • The scopes requested

If Push observes employee logins for apps it doesn’t recognize as work apps, it collects the URL of the platform and the login method (password or social login).

Finally, the extension collects error tracking data.

Sample data

Here are some examples of data the extension collects.

Browser data:

{
  "about": {
    "browserId": "d732c61e-35ea-3bdf-27cd-d37a3fadf6f9",
    "enrolmentMode": "deployment",
    "extensionVersion": "1.65.29",
  },
  "browser": {
    "name": "chrome",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",
    }
}

Login data:

{
    "browserId":"d732c61e-35ea-3bdf-27cd-d37a3fadf6f9",
    "platform":"TRELLO",
    "username":"person@example.com",
    "weakPassword":true,
    "passwordChanged":false,
    "passwordManuallyTyped":false,
    "trackedAccounts":[
        {
            "username":"person@example.com",
            "platform":"GITHUB",
            "lastLogin":"2022-03-17T14:25:55.000Z",
            "samePassword":false
        },
        {
            "username":"person@example.com",
            "platform":"GOOGLE_WORKSPACE",
            "lastLogin":"2022-04-04T07:49:00.000Z",
            "samePassword":true
        },
    ]
}

Blocked URL event data:

{
        browserId: 'adjaw2-daajwd-awdja-2akdawd',
        url: 'https://blocked-url.com',
        referrerUrl: 'https://some-other-site.com',
}

SSO password protection event data:

{
        browserId: 'adjaw2-daajwd-awdja-2akdawd',
        email: 'person@example.com',
        mode: 'BLOCK',
        platformType: 'GCP',
        url: 'https://not-google.com',
        referrerUrl: 'https://not-google-referrer.com',
        action: 'DISPLAYED',
}

Phishing tools detection event data:

{
        browserId: 'adjaw2-daajwd-awdja-2akdawd',
        url: 'https://evil.com',
        referrerUrl: 'https://example.com',
        indicator: 'AITM_TOOL_EVILGINX_01',
}

App banner displayed event data:

{
        browserId: 'adjaw2-daajwd-awdja-2akdawd',
        platform: 'OPENAI',
        action: 'DISPLAYED',
        mode: 'ACKNOWLEDGE',
        title: 'Title',
        subtext: 'Subtext with markdown',
        buttonText: 'Proceed anyway',
}

App banner acknowledged event data:

{
        browserId: 'adjaw2-daajwd-awdja-2akdawd',
        platform: 'OPENAI',
        action: 'ACKNOWLEDGED',
        mode: 'ACKNOWLEDGE',
        title: 'Title',
        subtext: 'Subtext with markdown',
        buttonText: 'Proceed anyway',
}

OIDC login event data:

{
        browserId: 'adjaw2-daajwd-awdja-2akdawd',
        protocol: 'OIDC',
        platform: 'PUSH_SECURITY',
        ssoProviderUsed: 'GOOGLE_WORKSPACE',
        username: 'person@example.com',
        redirectUrl: 'https://example.com',
        loginTime: '2024-04-23T09:02:32.183Z',
        currentUrl: 'https://another.example.com',
}

"Other app" password login event data:

{
        browserId: 'adjaw2-daajwd-awdja-2akdawd',
        source: 'PASSWORD_LOGIN'
        email: 'person@example.com',
        platform: 'https://other-saas-platform.com',
        referrer: 'https://referrer-url.com'
}

"Other app" OIDC login event data:

{
        browserId: 'adjaw2-daajwd-awdja-2akdawd',
        source: 'OIDC_LOGIN'
        email: 'person@example.com',
        platform: 'https://other-saas-platform.com',
        referrer: 'https://referrer-url.com',
        idpPlatform: 'GOOGLE_WORKSPACE'
}