Google to Block Logins from Embedded Browser Frameworks – BleepingComputer

Google to Block Logins from Embedded Browser Frameworks – BleepingComputer

To increase protection against man-in-the-middle (MitM) attacks, Google in June will block sign-ins from embedded browser frameworks, which are used with some forms of phishing.

Embedded browser frameworks allow developers to add browsing capabilities to an application. One example is the Chromium Embedded Framework (CEF), which basically allows inserting Chromium-based browsers in apps.

An adversary running a phishing attack can use an embedded browser framework to execute JavaScript on a page and automate user activity. In a MitM scenario, the attacker can automate the login to the real Google service after capturing the credentials, and even two-factor authentication codes.

Embedded browser frameworks hard to detect

Jonathan Skelker, Product Manager and Account Security at Google, says that Google “differentiate between a legitimate sign in and a MITM attack on these platforms.” The solution to this problem is to block login action through these platforms.

This measure affects developers who lose an easy way to offer authentication in their apps. A recommended alternative is to use browser-based OAuth authentication, which allows sharing login data while keeping the username and password safe.

“Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” Skelker says, strongly recommending developers to make the switch.

Google’s steps to protect user logins

Denying authentication from embedded browser frameworks is a measure similar to the restriction Google announced in 2016 on web views, which are also embedded browsers.

The trend to a more secure sign-in experience continued at the end of October 2018, when Google announced that JavaScript should be enabled in the browser when signing into Google services.

With JavaScript active on the sign-in page, Google can run an analysis and permit access only if everything looks fine.


via Top stories – Google News

April 19, 2019 at 04:22AM

What do you think about this?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s