Sign-ins to Google from embedded browser frameworks will soon be blocked. Google announced on Thursday, April 18 that the change is being made to improve protections against man-in-the-middle (MitM) attacks.
Google cannot easily differentiate between a legitimate login attempt to a Google account and a MitM attack that uses embedded browser frameworks such as the Chromium Embedded Framework (CEF).
CEF and other embedded browser frameworks are used by developers to add browsing capabilities to their applications. Google’s move, which will be implemented in June, is good news for users as it will offer them greater protection against phishing, but potentially bad news for developers who will lose one of the options available to incorporate authentication into their apps.
Google has suggested the best alternative to adopt is OAuth authentication. This option is preferable security-wise, as it allows the sharing of login data while keeping login credentials safe and secure. As an added advantage, this method allows users to view the full URL of the webpage when they enter their credentials, which makes it easier for them to identify potential phishing attacks.
The new security measure should help to keep users better protected, and joins Google’s spam filter, account sign-in challenges, and safe browser warnings to protect against phishing attempts.