Google to Block Sign-ins from Embedded Browser Frameworks

Google to Block Sign-ins from Embedded Browser Frameworks

In a bid to improve its phishing protections and to protect users from MITM attacks, Google has come up with a new move- a decision to block users sign-in using Embedded browser frameworks.

GBHackers on Security reports, “Google announced a new security update to block users sign-in using Embedded browser frameworks in order to improve the protection against Phishing and MitM attacks.”

In a blog post dated April 18, 2019, Jonathan Skelker, Product Manager, Account Security at Google clarifies that MITM (Man in the Middle), which is one form of phishing, becomes, “…hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or another automation platform is being used for authentication.”

He adds, “MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.”

Google has been constantly working to improve its protections against phishing attacks and to keep users’ information secure. Last year, Google had announced JavaScript to be enabled in the browser whenever users sign in. This way Google could run a risk assessment whenever a user enters credentials on a sign-in pace and if there is any suspicion of an attack happening, the sign-in would be blocked. Now, this new announcement adds to the protection that Google provides its users against credentials-based phishing and MITM attacks.

Google suggests that developers start using browser-based OAuth authentication as an alternative to embedded browser frameworks. Jonathan Skelker writes, “The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.”

Related Resources:

Google Helps Identify Crime Suspects Using Location History

Google Releases Android Q Beta 2, Bubbles Feature a Highlight

Google Removes 85 Adware-Infected Android Apps

Google Duplex Assistant to Reach iPhones, Most Android Phones

Julia Sowells946 Posts

Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register