The Persistent Problem#
The cybersecurity industry has invested billions in Endpoint Detection and Response (EDR) solutions, yet we continue to miss a fundamental attack vector: the browser session. This isn’t a new discovery, but it’s a problem that persists because of several interrelated technical challenges.
The Core Problems#
Encryption Reality#
Browser traffic uses TLS encryption to protect data in transit. While this is essential for privacy and security, it creates a significant blind spot for EDR tools. When an attacker manipulates a browser session, that malicious activity is wrapped in the same encrypted tunnel as legitimate traffic. From the EDR’s perspective, it’s indistinguishable from normal HTTPS traffic.
The result: Potentially malicious activity remains masked from endpoint detection tools that rely on inspecting network traffic patterns.
Trusted Process Problem#
Modern browsers like Chrome, Firefox, and Safari are considered “known good” processes. They’re signed by trusted vendors, regularly updated, and present on virtually every endpoint. This trusted status is well-deserved for the browser binary itself, but it creates a security paradox.
When attackers manipulate browser sessions, they’re operating within a trusted process. There’s no suspicious executable, no unsigned binary, no obviously malicious code. The browser is doing exactly what it’s designed to do—processing web content and managing sessions.
The result: EDR tools see legitimate browser activity, not an attack in progress.
Token Theft vs. Code Execution#
Traditional malware detection focuses on code execution: suspicious processes, file modifications, registry changes, and other system-level activities. These indicators have been the bread and butter of security tools for decades.
Session token compromise operates differently. When an attacker steals authentication tokens or session cookies, it doesn’t require executing malicious code on the endpoint. It’s data movement, not code execution. From a behavioral perspective, it looks like normal browser data handling—cookies being stored, session data being transmitted, credentials being accessed.
The result: Session token theft bypasses traditional EDR detection mechanisms that are tuned for executable threats.
Browser Syncjacking#
Browser profile hijacking, or “syncjacking,” represents an escalation of the session theft problem. By compromising browser sync features, attackers gain access to:
- Saved credentials across all synced devices
- Browsing history and preferences
- Active login sessions
- Autofill data including payment information
This attack vector is particularly insidious because browser sync is a legitimate, widely-used feature. The same functionality that provides convenience for users provides opportunity for attackers.
The result: A single compromise can cascade across an entire browser ecosystem, multiplying the attacker’s access.
AI Agent Vulnerabilities#
The emergence of AI browsing agents introduces a new dimension to this problem: indirect prompt injection. These agents interact with web content at machine speed, making autonomous decisions about what to click, what forms to fill, and what data to trust.
When malicious web content manipulates an AI agent’s behavior through carefully crafted inputs, the attack happens at a speed and scale that humans can’t monitor. The agent believes it’s following legitimate instructions, but it’s actually executing an attacker’s commands.
The result: AI agents can be manipulated to exfiltrate data, modify systems, or perform unauthorized actions—all while appearing to function normally.
The Defense Gap#
The fundamental issue is that we’re trying to solve a session-layer problem with endpoint-layer tools. EDRs excel at detecting process-based threats but struggle with attacks that operate within legitimate processes using legitimate protocols.
Recommended Defenses#
While EDR limitations persist, organizations can implement several compensating controls:
Implement FIDO2/passkeys instead of SMS or OTP: Hardware-backed authentication makes session token theft significantly more difficult. Even if an attacker steals a session token, they can’t establish new sessions without the physical authenticator.
Deploy enterprise browser security tools with session awareness: Next-generation browser security solutions monitor session behavior, token usage patterns, and browser-level activities that traditional EDRs miss.
Enable Identity Threat Detection (ITDR) with session-level response capabilities: ITDR solutions can detect anomalous session behavior—impossible travel, unusual access patterns, token replay attacks—and terminate suspicious sessions in real-time.
Implement guardrails for AI agents: This includes data access limits, action logging, human-in-the-loop requirements for sensitive operations, and sandboxing for web content interaction. AI agents should operate under the principle of least privilege.
The Path Forward#
Browser session security requires a defense-in-depth approach that acknowledges EDR limitations. We can’t expect endpoint tools to solve session-layer problems. Instead, we need:
- Session-aware security tools that monitor authentication and session behavior
- Hardware-backed authentication that makes token theft less valuable
- AI safety controls that prevent autonomous agent manipulation
- User education about browser security risks
Three years after highlighting this gap, it’s time to move browser session security from a blind spot to a core component of our security architecture. The attackers certainly haven’t ignored it.
Originally published on LinkedIn on December 31, 2025.