Upcoming Webinar, Dec 5th — Phish Kit Teardown

Ready to help

How do I remove an employee’s browser that was incorrectly enrolled in Push as another user?

Under certain conditions, it is possible for a browser to get enrolled in Push as the wrong user. In these cases, you may see incorrect security findings for a shared account on users that are not actually sharing credentials on applications.

This issue can be caused by two situations:

  • If you use shared credentials when logging into SaaS apps observed by the Push browser extension in a browser profile that has not yet been enrolled.

  • If two or more users use the same unique browser self-enrollment link.

Description of issue

If you deploy the Push browser extension using a device management tool, the token that links browsers to your Push tenant is a single identifier. Once installed, the browser extension then uses the following techniques to link the browser to a specific employee:

  • Checks if there is a user logged into the browser where the extension is installed.

  • Looks for an email address from an open Google Workspace or Outlook tab in the browser.

  • Waits for an email login into one of the SaaS apps that Push supports and observes the email address of the user that way.

In cases where User A is not logged into their browser, or browser login is not supported (such as with Brave), and they also log into a SaaS app using User B’s credentials on a browser profile that has not yet been enrolled, the extension will incorrectly identify them as User B, because that is the username observed by the extension.

This issue can also occur when using the unique browser self-enrollment links generated by the Push platform and sent to an employee via email or ChatOps. These links are uniquely tied to the individual and should not be shared between employees.

This issue does not occur if a browser profile is already enrolled in Push. Enrollment is a one-time action unless the extension is deleted.

Resolution

To remove the mistaken enrollment, you can unlicense each affected employee in the admin console and then re-license them. Then re-enroll their browsers using the correct unique self-enrollment link.

Note that if you performed a managed deployment of the Push browser extension using your MDM, those employees will get re-enrolled automatically the next time Push identifies them. You can also choose to use the self-enrollment links sent via email or ChatOps.

To prevent this issue from occurring, you can:

  • Require users to log into their browsers, if supported.

  • Avoid using shared SaaS credentials.

  • Avoid sharing browser self-enrollment links between employees.

If you must use shared credentials in certain situations, be sure you are logging into the app with the shared credentials in a browser profile already correctly enrolled to you.