Category: Account & Session Attacks
Man-in-the-browser (MitB) in the browser
Man-in-the-browser (MitB) attacks use malware or malicious extensions to manipulate what a user sees in the browser and to steal data from inside sessions.
Quick answer
MitB can bypass security controls by altering transactions in real time—after the user is already authenticated and acting legitimately.
For token theft and session hijacking patterns, isolation reduces exposure by separating web execution from the endpoint and limiting session residue when the container is deleted.
When you need this
- You’ve seen indicators of this threat in your environment.
- Users frequently click unknown links as part of daily work.
- You need a control that reduces risk without relying on perfect user judgment.
Last updated
2026-01-29
How it usually happens in the browser
- A user installs a malicious extension or becomes infected with malware that hooks into the browser.
- The attacker reads form inputs, modifies page content, or injects invisible fields into transactions.
- Sensitive operations (payments, account settings) are altered while displaying “normal” information to the user.
- Data is exfiltrated continuously from inside legitimate sessions.
What traditional defenses miss
- The traffic and actions can look legitimate because they occur inside a real authenticated session.
- Users see the attacker’s modified UI and often can’t detect subtle transaction changes.
- Many controls focus on blocking initial compromise rather than detecting in-session tampering.
How isolation changes the game
- Isolation reduces exposure to malicious web content that often precedes browser compromise and can support stricter browsing policies on risky destinations.
- A strong isolation program pairs with extension controls to reduce the chance of MitB footholds.
- Disposable isolated sessions limit residual state from risky browsing, though endpoint malware still requires remediation.
Operational checklist
- Enforce strict extension allowlists; block user installs and audit updates.
- Use endpoint security and patch management to reduce malware footholds.
- Require step-up verification for high-risk transactions (out-of-band confirmation, re-auth).
- Isolate risky browsing paths to reduce exposure to exploit and download vectors.
- Monitor for transaction anomalies (new payees, changed bank details, unusual admin actions).
FAQs
Is MitB the same as man-in-the-middle?
No. MitM typically intercepts network traffic. MitB operates inside the browser itself, modifying pages and capturing data directly.
Can HTTPS stop MitB?
No. HTTPS protects traffic in transit, but MitB acts after decryption—inside the browser.
Does isolation prevent MitB?
Isolation reduces exposure to untrusted web content and complements extension controls, but endpoint malware/extension risks still need dedicated controls.
What’s a strong mitigation for finance fraud?
Step-up verification for payee and payout changes, plus strict browser/extension policy and isolation for risky browsing.
References
- Chrome Enterprise: Policies — Google
- Cloudflare: Browser Isolation — Cloudflare