To increase protection against man-in-the-middle (MitM) attacks, Google in June will block sign-ins from embedded browser frameworks, which are used with some forms of phishing.

Embedded browser frameworks allow developers to add browsing capabilities to an application. One example is the Chromium Embedded Framework (CEF), which basically allows inserting Chromium-based browsers in apps.

An adversary running a phishing attack can use an embedded browser framework to execute JavaScript on a page and automate user activity. In a MitM scenario, the attacker can automate the login to the real Google service after capturing the credentials, and even two-factor authentication codes.

Embedded browser frameworks hard to detect

Jonathan Skelker, Product Manager and Account Security at Google, says that Google “differentiate between a legitimate sign in and a MITM attack on these platforms.” The solution to this problem is to block login action through these platforms.

This measure affects developers who lose an easy way to offer authentication in their apps. A recommended alternative is to use browser-based OAuth authentication, which allows sharing login data while keeping the username and password safe.

“Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” Skelker says, strongly recommending developers to make the switch.

Google's steps to protect user logins

Denying authentication from embedded browser frameworks is a measure similar to the restriction Google announced in 2016 on web views, which are also embedded browsers.

The trend to a more secure sign-in experience continued at the end of October 2018, when Google announced that JavaScript should be enabled in the browser when signing into Google services.

With JavaScript active on the sign-in page, Google can run an analysis and permit access only if everything looks fine.

Related Articles:

New Darcula phishing service targets iPhone users via iMessage

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Russian hackers target German political parties with WineLoader malware

Spa Grand Prix email account hacked to phish banking info from fans

An AI-based Chrome Extension Against Phishing, Malware, and Ransomware