Google's new update will help against phishing attacks, by barring logins from Embedded Browser Frameworks!

Over the past several months, cyber-criminals have been exploiting tools like Chromium Embedded Framework (CEF), XULRunner and many others for executing man-in-the-middle (MitM) attacks. Taking note of these attacks, Google's Security team announced an update that will hopefully help in tackling such kinds of security issues. This update will impact the user login system of Google.

In a blog post, Jonathan Skelker, Product Manager and Account Security for Google, claims that with the new security update, the tech giant aims to prevent all user login attempts from an embedded browser framework technology. This approach will definitely provide protection to users against MitM-related phishing attacks.

It’s a well-known fact that cyber-criminals found hacks a while ago to interrupt a user’s web traffic as Google login page often makes use of an embedded browser framework for making the login process automated.
"We’re constantly working to improve our phishing protections to keep your information secure." said Google. Adding further, "[Therefor] we will be blocking sign-ins from embedded browser frameworks starting in June."
The victims enter their Google account details on a phishing page and after that, the hackers, with the help of an embedded browser framework, make the login process on the actual Google server automated. This helps them in avoiding two-factor authentication systems. It should be mentioned here that embedded browser frameworks are the key players here as they engage with Google servers for the cyber-criminals.


The reason why this approach was so successful for the hackers is that Google can’t differentiate between an authentic login attempt and a MitM attack. This is why, the new update will entirely ban logins from embedded browser frameworks. The update will hopefully roll out by the time summer kicks off.

This isn’t the first time that Google has banned login attempts from embedded browsers. Back in 2016, the company blocked all login attempts from WebView and other similar embedded browsers. Also, in October 2018, login attempts from browsers were banned where JavaScript wasn’t enabled.

As for the developers that might get affected due to not being able to use tools like CEF, they are suggested to use the browser-based OAuth authentication solution. It is immune from phishing attacks and can help their app in easily accessing Google Account data.

Google's new update will help against man-in-middle attacks, by barring logins from Embedded Browser Frameworks!
Photo: Weerapatkiatdumrong / Getty Images

Read next: 1 in 5 Internet Users Are Malicious Bots
Previous Post Next Post