Google will ban login through the embedded browser framework from June

At the end of last year, Google mandated users to enable JavaScript to log in to their browsers in order to be able to assess relevant risks in real time. The ultimate goal of this measure is to protect users from phishing attacks, a way to prevent high-risk sign-in when Google’s security system detects suspicious activity. As the situation became more severe, Google product manager, Jonathan Skelker announced in a blog post that from June 2019, the company would no longer allow logins through the embedded browser framework.

It is reported that the move is aimed at solving some type of phishing (also known as “man in the middle attack” / MITM). In recent years, the threat posed by it has become increasingly serious. In short, those with ulterior motives can use the man-in-the-middle attack to intercept real-time information transmission between the two parties.

The search giant acknowledges that “one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.”

Via: Neowin