Google Bans Embedded Browser Logins In Brutal War Against Phishing Attacks

In an ongoing effort to stay one step ahead of the bad guys (or at least keep pace with them), Google has decided to block sign-ins from embedded browser frameworks, such as the Chromium Embedded Framework (CEF). The new policy will go into effect in June, so developers have a couple of months to adjust.

This is intended as yet another layer of protection to keep users safe from phishing attempts, malware, and so forth. In this particular instance, blocking sign-ins from embedded browser frameworks is intended to protect against man-in-the-middle (MITM) attacks, which is basically when an attacker is able to eavesdrop communication between two parties.

Enabling two-factor authentication can help, but from Google's perspective, it's not a wholesale solution. While not mentioned, that's in part because not everyone uses 2FA, even when it's available.

"MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June," Google stated in a blog post.

Embedded browser frameworks like CEF allow developers to add web browsing abilities to their mobile apps. One reason a developer might go this route is to allow a user to sign into an account using a third-party service, like Google or Facebook, instead of being pushed out to a browser. Unfortunately, it comes with a phishing risk, and so Google is putting an end to the practice.

In its place, Google suggests using browser-based OAuth authentication.

"Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today," Google added.

Today's announcement comes a year after Google starting requiring JavaScript to be enabled in browsers when signing, so that it could run a risk assessment whenever credentials are entered and, if deemed necessary, block the login attempt.