‹‹ Back

Infostealers: the real risk comes from browser safes

Infostealer Board of Cyber

Incidents involving infostealers remain underestimated. This malware directly targets password vaults built into browsers. It operates within the user session and frequently bypasses EDR detection. The issue is simple: in the event of a leak, you must report the incident to ANSSI (NIS2).

Your browser's ‘default’ settings

Browsers offer optimal default settings for users: they remember the user's passwords. This is very convenient, reduces ‘password fatigue,’ and seems more secure than storing them in a flat file. .

But is this option, which is very useful for compensating for the lack of SSO (Single Sign-On) in companies and the natural limit of our brain's ability to remember hundreds of passwords, really secure?

What are the consequences if profile synchronisation with a personal account (Chrome/Gmail, Edge/Microsoft) is allowed?

We feel protected within our browser, on our work computer, equipped with EDR (Endpoint Detection and Response). But infostealers are there to test this false sense of security.

What is an infostealer?

An infostealer arrives via traditional vectors: malicious attachments, fake installers, malicious advertising (malvertising), compromised websites or existing loaders.

The binary is often obfuscated, compressed or even encrypted to evade signatures. Once executed, it operates in the user's context, inherits their access rights, and primarily targets what the user sees and uses.

The infostealer does not need elevated privileges to read what the browser or application decrypts for the user. It accesses the local profile and data and then extracts the stored credentials in plain text. It targets existing secret reservoirs to be efficient.

Infostealer: why is it so effective?

Locally on a workstation: An infostealer runs in the user's session, without elevated privileges. It reads the browser's databases, profiles, and tokens, then extracts the stored credentials. The EDR tool is not foolproof: a stealthy executable, a detection window that is too late, or a recently mutated binary are enough to go unnoticed and exfiltrate information before detection.

If profiles are synchronised: When password backup is allowed and synchronisation with a personal account (Gmail) is not blocked, the consequences are much greater. Credentials travel between the workstation managed by the company and personal devices, which are not controlled...

Synchronisation allows access to all passwords regardless of the infected browser (work or personal). Without MFA (Multi-Factor Authentication), takeover is immediate. Access can be resold to IABs (Initial Access Brokers), who monetise this initial access to corporate environments. With MFA, the residual risk remains (persistent tokens, already open sessions), but it is considerably reduced.

Operational conclusion: as long as browsers store and synchronise passwords, the attacker benefits from an expanded exfiltration perimeter, often outside the scope of EDR control.

How can we solve the problems associated with infostealers?

It will not be possible to prevent infostealers from acting, but we can drastically reduce their attack surface.

The following actions must be enforced by GPO (Group Policy Object), MDM (Mobile Device Management), or equivalents: Intune, Jamf, or multi-OS platforms.

Browsers (Chrome / Edge / Firefox)

  • Disable password saving and auto-fill. Indicative examples to be adapted: PasswordManagerEnabled=false, AutoFillPasswordsDisabled=true, OfferToSaveLogins=false.

  • Block non-corporate browser logins and disable out-of-domain synchronisation. Examples: BrowserSignin=Disabled, SyncDisabled=true, restriction of authorised domains to *.corporate.fr.

  • Enforce managed profiles and restrict extensions. Examples: blocklist of unapproved extensions, allowlist of dedicated vaults, prohibition of ‘password export’ extensions.

  • Separate work and personal contexts via profiles, and prohibit unmanaged profiles on company workstations

Workstations and MDM

  • Apply browser policies via GPO / Intune / Jamf with drift tolerance = 0
  • Inventory extensions and block side-loading
  • Prevent the use of built-in browser managers and enforce a dedicated vault
  • Update browsers and engines quickly and reject obsolete versions
  • On mobile devices, managed envelopes for corporate browsers and strict data separation

Identity and authentication

  • SSO via a corporate IdP (Identity Provider), with systematic MFA for sensitive applications and services
  • Deploy FIDO2 / WebAuthn passkeys to reduce dependence on passwords

Conclusion

Infostealers exploit blind spots, particularly browser vaults.

An effective response combines centralised policies, dedicated vaults, widespread MFA, and passkeys. Under NIS2, it is not only important to ‘do the right thing’, but also to prove that you are applying, monitoring and correcting.

The policy change will not be smooth, as user habits are difficult to change, but if nothing is done, the effects of synchronising professional and personal accounts could quickly prove devastating.

Article written by Gilles Favier - VP Product - Board of Cyber

Vulnerability | blog

Enjoyed this article? Subscribe to our newsletter so you never miss a new post!

Subscribe
Newsletter
Legal notice
Manage cookies