Google bans logins from embedded browser frameworks to prevent MitM phishing

Google previously banned logins initiated from browsers where JavaScript had been disabled.
Written by Catalin Cimpanu, Contributor

Google announced today a security update for the Google user login system that the company hopes will improve its overall security protections against MitM-based phishing attacks.

According to Jonathan Skelker, Product Manager and Account Security for Google, the company plans to block any user login attempts initiated from an embedded browser framework technology.

This includes any logins attempted from tools like the Chromium Embedded Framework (CEF), XULRunner, and others.

Embedded browsers frameworks abused for MitM phishing

Over the past year, cyber-criminals have been using these tools as part of man-in-the-middle (MitM) attacks.

Crooks that manage to place themselves in a position to intercept the user's web traffic for the Google login page will often use an embedded browser framework to automate the login operation.

The user enters their Google login credentials on a phishing page, and then the crooks operating the page use an embedded browser framework to automate the login operation on the real Google server.

They use this technique to bypass two-factor authentication systems, and embedded browser frameworks are usually the component that interacts with Google servers on the cyber-criminal's behalf.

Google can't tell embedded browsers from real users

"Because we can't differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June," Skelker said.

This is just Google's latest security update the company has rolled out for its user login system.

Last October, the company banned any login attempts from browsers where JavaScript was disabled. In June 2016, Google banned any login attempts initiated from embedded browsers such as WebView.

As for the developers who will now have to rip out embedded browser frameworks like CEF from their apps, Google is recommending that they use browser-based OAuth authentication instead --a solution that isn't prone to phishing attacks.

"Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices," Skelker said. "If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today."

How to protect your Google Account with the Advanced Protection Program

More cybersecurity coverage:

Editorial standards