Google to block connections from built-in browser frames

To enhance the protection against man-type attacks in the middle (MitM), Google will block the connection in June from integrated browser frameworks, used with some forms of phishing.

Built-in browser infrastructure allows developers to add navigation capabilities to an app. An example is the Chromium Embedded Framework (CEF), which essentially allows you to insert Chromium-based browsers into applications.

An opponent who performs a phishing attack can use an integrated browser framework to run JavaScript on a page and automate the user's activity. In a MitM scenario, the attacker can automate the connection to the real Google service after capturing the credentials or even the two-factor authentication codes.

Embedded browser frameworks hard to detect

Jonathan Skelker, Product Manager and Account Security at Google, said Google "differentiates a legitimate connection from a MITM attack on these platforms". The solution to this problem is to block the connection action via these platforms.

This measure is for developers who are losing an easy way to provide authentication in their applications. A recommended alternative is to use browser-based OAuth authentication, which allows sharing of login data while protecting the user name and password.

"In addition to being secure, it also allows users to see the full URL of the page where they enter their credentials, thereby enhancing good anti-phishing practices," says Skelker, which strongly recommends developers to change systems.

Google's actions to protect user connections

Rejecting authentication from built-in browser environments is a similar measure to the restriction Google announced in 2016 on web views, which are also built-in browsers.

The trend towards a more secure login experience has continued at the end of October 2018, when Google announced that JavaScript should be enabled in the browser when connecting to Google services.

When JavaScript is enabled on the login page, Google may run a scan and allow access only if everything goes well.