Google will block login activity from embedded frameworks in the browser

In order to enhance Chrome's protection against the rapid rise of man-in-the-middle (MitM) intermediate attacks, Google said it will officially add a blocking feature to login from embedded frameworks. in browser (embedded browser framework), used with some forms of fraud from June here.

Basically, frameworks embedded in browsers allow developers to add browsing capabilities to any application they create. A common example of a framework embedded in the browser is Chromium Embedded Framework (CEF), which allows developers to insert Chromium-based browsers in applications.

1. [Infographic] How to recognize and prevent Phishing attacks

However, hackers, who are behind a phishing attack, can use the framework embedded in the browser to execute JavaScript on a web page, and at the same time automate user login activity. In the scenario for MitM campaigns, an attacker can automatically log in to Google's real service after capturing the login information and even the user's two-factor authentication code.

It is difficult to detect framework embedded in the browser

Jonathan Skelker, Product Manager and Account Security at Google, said that not only Google but most other developers are having trouble 'distinguishing between a legitimate login session and login session from those MITM attack on service platforms. And the most effective solution to this problem is to block login activity through specific service platforms'.

1. Malicious ad campaigns abuse Chrome to steal 500 million iOS user sessions

In fact, this method is effective, but it can affect a lot of developers, because now they will automatically lose an easy way to provide authentication in the application. mine. One recommended alternative is to use browser-based OAuth authentication, which allows sharing login data while ensuring the security of information such as usernames and passwords.

'In addition to maintaining security, OAuth authentication also allows users to view and manage the entire URL of the page where they are entering their account information, thereby strengthening effective anti-phishing activities. more, 'Mr. Skelker said, at the same time recommending developers to implement this necessary transition.

1. Authentication tool on many enterprise VPN applications that are bypassed by hackers

Essential moves by Google to protect user login information

Denying authentication from frameworks embedded in the browser is a measure similar to the limitations Google announced in 2016 on web views, which is also a factor related to embedded browsers.

1. Google wants to block unsafe, potentially risky download files on Chrome

The trend to bring a safer login experience to users then continues to be boosted by Google at the end of October 2018, when Mountain View giant announced that JavaScript should be enabled in all browsers when Log in to Google services. With JavaScript running on the login page, Google can run analytics and only allow access sessions if everything is fine.

What do you think about this decision of Google? Leave comments in the comment section below!