'%3e%3cpath%20d='M248.027%20159.993C292.176%20159.993%20328.105%20124.1%20328.105%2079.996C328.105%2035.892%20292.191%200%20248.027%200C203.863%200%20167.95%2035.892%20167.95%2079.996C167.949%20124.101%20203.878%20159.993%20248.027%20159.993ZM213.969%2045.973C223.069%2036.882%20235.155%2031.873%20248.027%2031.873C260.899%2031.873%20272.986%2036.882%20282.086%2045.973C291.186%2055.064%20296.2%2067.154%20296.2%2079.997C296.2%2092.84%20291.186%20104.93%20282.086%20114.021C272.986%20123.112%20260.899%20128.12%20248.027%20128.12C235.155%20128.12%20223.069%20123.111%20213.969%20114.021C204.869%20104.93%20199.871%2092.84%20199.871%2079.997C199.871%2067.154%20204.884%2055.063%20213.969%2045.973Z'%20fill='%23EE4323'/%3e%3cpath%20d='M150.16%200L57.6821%20159.993H94.5381L187%200H150.16Z'%20fill='%23EE4323'/%3e%3cpath%20d='M92.478%200L0%20159.993H36.856L129.334%200H92.478Z'%20fill='%23EE4323'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_296_834'%3e%3crect%20width='328.105'%20height='159.993'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
/
What data does the Push browser extension collect?
In this section
Overview
Once installed, the Push browser extension sits in the background of your employees’ browsers and collects the following information:
Browser name
Browser version
Device OS
Push browser extension version
The extension enrollment method (via a managed deployment or self-enrollment)
When the extension last checked in
When employees log into SaaS applications, the extension collects:
The URL of the platform
The account username
The login method
If a password is used, Push generates a shortened salted hash of the password, which is stored locally in the browser and never sent anywhere.
Their MFA registration status and MFA method, for supported apps
Using the shortened salted hash of the password, Push can then perform password comparisons and analysis, such as blocking SSO passwords from being entered on websites that do not belong to the identity provider, or surfacing leaked and shared account credentials. All comparisons are done locally in the browser, not server-side.
Depending on your configured security controls, the extension will also collect data on:
When employees visit a blocked URL
When employees enter their SSO password on a site that does not belong to the SSO provider
When employees visit a site that is using phishing tools
When employees visit an app that displays an app banner and (where applicable) when they acknowledge a banner message to dismiss it or submit a reason to use the app
If the extension observes an employee visiting an OAuth consent screen for an Microsoft 365 or Google Workspace app integration, it also collects basic telemetry about the integration that Push uses to research the integration, such as establishing whether it has a verified publisher. The data the extension collects in this case is:
The platform the app was observed on
The app identifier
The grant type requested
The reply URL
The scopes requested
If Push observes employee logins for apps it doesn’t recognize as work apps, it collects the URL of the platform and the login method (password or social login).
Finally, the extension collects error tracking data.
Sample data
Here are some examples of data the extension collects.
Browser data:
Browser extension - browser data
JSON{
"about": {
"browserId": "d732c61e-35ea-3bdf-27cd-d37a3fadf6f9",
"enrolmentMode": "deployment",
"extensionVersion": "1.65.29",
},
"browser": {
"name": "chrome",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",
}
}Login data:
Browser extension - login data
JSON{
"browserId":"d732c61e-35ea-3bdf-27cd-d37a3fadf6f9",
"platform":"TRELLO",
"username":"person@example.com",
"weakPassword":true,
"passwordChanged":false,
"passwordManuallyTyped":false,
"trackedAccounts":[
{
"username":"person@example.com",
"platform":"GITHUB",
"lastLogin":"2022-03-17T14:25:55.000Z",
"samePassword":false
},
{
"username":"person@example.com",
"platform":"GOOGLE_WORKSPACE",
"lastLogin":"2022-04-04T07:49:00.000Z",
"samePassword":true
},
]
}Blocked URL event data:
Browser extension - blocked URL event
JSON{
browserId: 'adjaw2-daajwd-awdja-2akdawd',
url: 'https://blocked-url.com',
referrerUrl: 'https://some-other-site.com',
}SSO password protection event data:
Browser extension - SSO password protection event
JSON{
browserId: 'adjaw2-daajwd-awdja-2akdawd',
email: 'person@example.com',
mode: 'BLOCK',
platformType: 'GCP',
url: 'https://not-google.com',
referrerUrl: 'https://not-google-referrer.com',
action: 'DISPLAYED',
}Phishing tools detection event data:
Browser extension - phishing tools detection event
JSON{
browserId: 'adjaw2-daajwd-awdja-2akdawd',
url: 'https://evil.com',
referrerUrl: 'https://example.com',
indicator: 'AITM_TOOL_EVILGINX_01',
}App banner displayed event data:
Browser extension - app banner displayed event
JSON{
browserId: 'adjaw2-daajwd-awdja-2akdawd',
platform: 'OPENAI',
action: 'DISPLAYED',
mode: 'ACKNOWLEDGE',
title: 'Title',
subtext: 'Subtext with markdown',
buttonText: 'Proceed anyway',
}App banner acknowledged event data:
Browser extension - app banner acknowledged event
JSON{
browserId: 'adjaw2-daajwd-awdja-2akdawd',
platform: 'OPENAI',
action: 'ACKNOWLEDGED',
mode: 'ACKNOWLEDGE',
title: 'Title',
subtext: 'Subtext with markdown',
buttonText: 'Proceed anyway',
}OIDC login event data:
Browser extension - OIDC login event
JSON{
browserId: 'adjaw2-daajwd-awdja-2akdawd',
protocol: 'OIDC',
platform: 'PUSH_SECURITY',
ssoProviderUsed: 'GOOGLE_WORKSPACE',
username: 'person@example.com',
redirectUrl: 'https://example.com',
loginTime: '2024-04-23T09:02:32.183Z',
currentUrl: 'https://another.example.com',
}"Other app" password login event data:
Browser extension - other app password login event
JSON{
browserId: 'adjaw2-daajwd-awdja-2akdawd',
source: 'PASSWORD_LOGIN'
email: 'person@example.com',
platform: 'https://other-saas-platform.com',
referrer: 'https://referrer-url.com'
}"Other app" OIDC login event data:
Browser extension - other app OIDC login event
JSON{
browserId: 'adjaw2-daajwd-awdja-2akdawd',
source: 'OIDC_LOGIN'
email: 'person@example.com',
platform: 'https://other-saas-platform.com',
referrer: 'https://referrer-url.com',
idpPlatform: 'GOOGLE_WORKSPACE'
}