To increase protection against man-in-the-middle (MitM) attacks, Google in June will block sign-ins from embedded browser frameworks, which are used with some forms of phishing.

Embedded browser frameworks allow developers to add browsing capabilities to an application. One example is the Chromium Embedded Framework (CEF), which basically allows inserting Chromium-based browsers in apps.

An adversary running a phishing attack can use an embedded browser framework to execute JavaScript on a page and automate user activity. In a MitM scenario, the attacker can automate the login to the real Google service after capturing the credentials, and even two-factor authentication codes.

Embedded browser frameworks hard to detect

Jonathan Skelker, Product Manager and Account Security at Google, says that Google “differentiate between a legitimate sign in and a MITM attack on these platforms.” The solution to this problem is to block login action through these platforms.

This measure affects developers who lose an easy way to offer authentication in their apps. A recommended alternative is to use browser-based OAuth authentication, which allows sharing login data while keeping the username and password safe.

“Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” Skelker says, strongly recommending developers to make the switch.

Google’s steps to protect user logins

Denying authentication from embedded browser frameworks is a measure similar to the restriction Google announced in 2016 on web views, which are also embedded browsers.

The trend to a more secure sign-in experience continued at the end of October 2018, when Google announced that JavaScript should be enabled in the browser when signing into Google services.

With JavaScript active on the sign-in page, Google can run an analysis and permit access only if everything looks fine.

Let’s block ads! (Why?)

Source link

Load More By admin
Load More In Tech

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

How to tell if a Google Play app is safe – Komando

If you’re an Android user, you know all about the adware and malware-infested apps b…