Google to block sign-in attempts from embedded browsers

Mountain View takes aim at the man in the middle

Google is increasing its browser security in an effort to further protect its users from man-in-the-middle (MITM) attacks, the tech giant announced last week.

The update, set to be implemented in June, will enhance Google’s anti-phishing defenses by blocking sign-in attempts from automated authentication platforms, such as the Chromium Embedded Framework (CEF).

These platforms are typically used by third-party developers who want to embed browsers in their applications.

While CEF allows login to Google accounts with ease, the mechanism can also serve as a way for criminals to carry out successful MITM phishing campaigns – partly due to how a user’s credentials are automated.

“MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign-in,” Jonathan Skelker, product manager for account product security at Google said in a blog post on Thursday.

“Because we can’t differentiate between a legitimate sign-in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June.”

Google has told developers to switch over to browser-based OAuth authentication if their application requires access to account data.

“Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” Skelker said.

The move follows others by Google to increase protections against malicious login attempts.

In 2016, for instance, the company stopped supporting any login attempts from embedded browsers such as WebView for reasons similar to the OAuth authentication requirement this coming June.

“Last year, we announced that we would require JavaScript to be enabled in your browser when you sign-in so that we can run a risk assessment whenever credentials are entered on a sign-in page and block the sign-in if we suspect an attack,” Skelker added.

The OAuth authentication change, however, could mean a decrease in functionality with certain apps.

The Daily Swig has reached out to Google for comment.