Push Security

What is it?

Push Security is a browser extension for identity security. It operates in two areas: detection/response for identity-based attacks, and visibility into the organization’s identity attack surface.

For detection and response, the extension collects telemetry directly from the browser. It can identify when corporate credentials are submitted to phishing sites, detect SSO password reuse across applications, and identify phishing attacks using tools like Evilginx. The extension inspects the page DOM, JavaScript libraries, network requests, cookies, and local storage state to detect malicious behavior.

For visibility, Push Security observes identity creation and usage across the organization. It identifies all accounts passing through the browser, including those outside the SSO perimeter, and surfaces vulnerable identities (accounts without MFA, weak passwords, non-federated logins). It builds an application inventory based on actual browser activity rather than procurement records.

Why did they build it?

Security teams assumed SSO logs provided complete identity visibility. In practice, users create accounts across SaaS applications, automation platforms, code repositories, and services like Snowflake, often without SSO and frequently without MFA. Some users create personal Google accounts using their corporate email address to SSO into external services.

Attackers have adapted to improved IDP security (mandatory passkeys, better MFA defaults) by targeting applications outside the SSO perimeter directly. Push Security has observed phishing attacks against Postman, Jira, Onfido, and workflow automation platforms like Zapier and Make. These applications often have OAuth access to other systems, making them valuable lateral movement targets.

The browser is the ingress point for identity information. Traditional security tools (EDR, NDR, email gateways) lack visibility into what credentials users enter and where.

How does the SSO password protection work without storing passwords?

The browser extension observes when a user logs into their primary Identity Provider and computes a hash of the password. It stores a k-anonymized version (truncated hash) within the browser’s secure sandbox. This locally stored hash is compared against passwords entered into other sites. If a match is detected, indicating attempted reuse, the extension blocks the action. No raw passwords or full hashes leave the user’s browser.

This mechanism also functions as a zero-day phishing detection method: when a user attempts to enter their SSO password into any site that is not the legitimate IDP, it triggers an alert. Most triggers are false positives (password reuse on legitimate sites), but a percentage are previously unknown phishing servers.

How does Push Security detect phishing that evades email gateways?

Email gateways cannot detect phishing that doesn’t arrive via email. Push Security has observed phishing delivered through:

  • Malvertising: Attackers purchase Google Ads for targeted services. Push detected an Evilginx server impersonating Onfido’s dashboard advertised on Google, capturing users who searched for the service instead of accessing it through SSO.
  • Legitimate service redirects: Attackers use services like JotForm or Google Docs as intermediate steps. In one case, an attacker filled out a company’s contact form, engaged with sales, then shared a JotForm that redirected to a phishing server.
  • Precision-validated phishing: Phishing pages verify the target email address before displaying the attack, evading sandbox analysis.

Because the extension operates after the page is rendered and decoded, it can inspect the DOM and user interactions regardless of the delivery vector or evasion techniques.

What visibility does Push Security provide beyond SSO-enrolled applications?

Push Security observes every login passing through the browser and builds an inventory of applications actually in use. This reveals:

  • Applications accessed without SSO federation (local username/password accounts)
  • Applications where users bypass corporate SSO by authenticating through personal Google accounts
  • MFA enrollment status per application, including the specific MFA methods in use
  • OAuth grants between applications, including grants that don’t involve the primary IDP

The platform surfaces scenarios such as GitHub functioning as an IDP for other services, or Slack auto-logging users into Loom when clicking shared videos, creating authentication relationships outside the intended identity architecture.

Push Security compares observed logins against credentials available on dark web marketplaces to identify exposed accounts.

How does Push Security differ from enterprise browsers?

Push Security works inside any browser, including enterprise browsers. The company views enterprise browsers as solving a different problem: protecting the organization from employees (access control, DLP, screenshot prevention). Push Security focuses on protecting the organization from attackers targeting identity.

Enterprise browser users can still be phished. Push Security adds detection and blocking capabilities on top of any browser deployment.

Risky Business appearances

Sources

Disclosure: Patrick Gray is an advisor to Push Security.