Connect with us

Hi, what are you looking for?


Data Protection

Google to Block Logins From Embedded Browsers to Prevent Phishing

Google on Thursday announced that it will soon block login attempts from embedded browser frameworks in an effort to prevent man-in-the-middle (MitM) phishing attacks.

Google on Thursday announced that it will soon block login attempts from embedded browser frameworks in an effort to prevent man-in-the-middle (MitM) phishing attacks.

The tech giant says phishing attacks that involve traffic interception are difficult to detect when an embedded browser framework or a different type of automation platform is used for authentication.

As an example of an embedded browser framework Google provided its Chromium Embedded Framework (CEF), which is designed for embedding Chromium-based browsers in other applications.

Since its systems can’t make the difference between legitimate logins and MitM attacks when such frameworks are used, Google has decided that, starting with June, it will block sign-ins from these frameworks.

The company says this latest move is similar to webview sign-in restrictions announced in April 2016.

“The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” said Jonathan Skelker, Product Manager of Account Security at Google.

These measures come after last year Google informed users that they must enable JavaScript in their web browser due to the introduction of a new security mechanism for the login process. Specifically, when the username and password are entered on the sign-in page, a JavaScript-based risk assessment is conducted and authentication is only successful if nothing suspicious is detected.

Related: Google Boosts Android Security with Protected Confirmation

Advertisement. Scroll to continue reading.

Related: Google Tightens OAuth Rules to Combat Phishing

Related: Google to Revoke OAuth 2.0 Tokens Upon Password Reset

Related: JavaScript Library Introduced XSS Flaw in Google Search

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...