Google to Start Blocking Logins from Embedded Browsers to Help Combat MitM Attacks

Sign-ins to Google from embedded browser frameworks will soon be blocked. Google announced on Thursday, April 18 that the change is being made to improve protections against man-in-the-middle (MitM) attacks.

Embedded browser frameworks are often used in phishing attacks to automate user activity. If a user visits a phishing website that spoofs the Google login page and is requested to enter their Google credentials, the attacker could run JavaScript via embedded browser frameworks to automate logins to the genuine Google page using captured credentials in real time, including capturing and using 2-factor authentication codes.

Google cannot easily differentiate between a legitimate login attempt to a Google account and a MitM attack that uses embedded browser frameworks such as the Chromium Embedded Framework (CEF).

CEF and other embedded browser frameworks are used by developers to add browsing capabilities to their applications. Google’s move, which will be implemented in June, is good news for users as it will offer them greater protection against phishing, but potentially bad news for developers who will lose one of the options available to incorporate authentication into their apps.

Google has suggested the best alternative to adopt is OAuth authentication. This option is preferable security-wise, as it allows the sharing of login data while keeping login credentials safe and secure. As an added advantage, this method allows users to view the full URL of the webpage when they enter their credentials, which makes it easier for them to identify potential phishing attacks.

The latest measure follows a similar change made by Google in relation to embedded browser frameworks last year, which required JavaScript to be enabled in the browser following the introduction of a new security measure that uses JavaScript to conduct a risk assessment to identify and block suspicious login attempts.

The new security measure should help to keep users better protected, and joins Google’s spam filter, account sign-in challenges, and safe browser warnings to protect against phishing attempts.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of