Thursday, April 25, 2024
How To

Google Ban Embedded Browser Logins To Stop Man-In-The-Middle Attacks

Google will ban logins from embedded browser frameworks, starting June 2019. The reason is the increased risk of phishing hacks using the man-in-the-middle attack.

Users are most vulnerable to man-in-the-middle attacks when they login to their favorite apps via an embedded browser framework. A good example of an embedded browser is Chromium embedded framework, aka, CEF. It is used for logging in to Steam client, Evernote, and Amazon music.

Now a days, Google is unable to detect a MITM attack whenever you log in via an embedded browser.

Last year, Google announced that we would require JavaScript to be enabled in your browser when you sign in so that we can run a risk assessment whenever credentials are entered on a sign-in page and block the sign-in if we suspect an attack. This is yet another layer of protection on top of existing safeguards like Safe Browsing warnings, Gmail spam filters, and account sign-in challenges.

Man in the middle” (MITM), is hard to detect when an embedded browser framework or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.

What developers need to know

The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.

I hope you like this post. Do you have any questions? Leave a comment down below!

Thanks for reading. If you like this post probably you might like my next ones, so please support me by subscribing my blog.

You may like also:

Explore some IoT Tutorials:

Upvote on Reddit

Harshvardhan Mishra

Hi, I'm Harshvardhan Mishra. Tech enthusiast and IT professional with a B.Tech in IT, PG Diploma in IoT from CDAC, and 6 years of industry experience. Founder of HVM Smart Solutions, blending technology for real-world solutions. As a passionate technical author, I simplify complex concepts for diverse audiences. Let's connect and explore the tech world together! If you want to help support me on my journey, consider sharing my articles, or Buy me a Coffee! Thank you for reading my blog! Happy learning! Linkedin

One thought on “Google Ban Embedded Browser Logins To Stop Man-In-The-Middle Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *