The Four Question Framework for Threat Modeling takes a deep look at the specific design of the Four Questions. The questions provide a framework and language for effective threat modeling, and have been called "deceptively simple."

Security Engineering — Third Edition

Here are the basic steps of what happens:

1. Malware runs on user’s machine

• but others have similar features

1. Malware connects to the debugging port

• or remote control the browser

1. Attacker uses the cookies and gains access to resources

Note: This specific technique via the remote debugging port was originally described as “Cookie Crimes” by @mangopdf for Chrome.

All security vulnerabilities lie on a spectrum of how hard they are to resolve.
On one end, there are vulnerabilities that are easily patched, and on the other side, are those that are not.
Whenever doing security research, it's important to understand which you are dealing with.