testsetset
Phishing — schemes to nab personal data with disguised malicious webpages and emails — constituted more than 70% of all cyber attacks in 2016, according to a Verizon report. In an effort to combat them, Google last year announced it would require users to enable JavaScript during Google Account sign-in so that it could run attack-detecting risk assessments, and today, the company said it’ll begin to block all sign-ins from embedded browser frameworks like Chromium Embedded Framework starting in June.
For the uninitiated, embedded browser frameworks enable developers to add basic web browsing functionality to their apps, and to use web languages like HTML, CSS, and JavaScript to create those apps’ interface (or portions of it). They’re typically cross-platform — Chromium Embedded Framework runs on Linux, Windows, and macOS — and they support a range of language bindings.
“We’re constantly working to improve our phishing protections to keep your information secure,” account security product manager Jonathan Skelker wrote in a blog post. “This is yet another layer of protection on top of existing safeguards like Safe Browsing warnings, Gmail spam filters, and account sign-in challenges.”
With the change, Google is specifically targeting man in the middle (MITM) attacks, which it says are particularly difficult to spot from automation platforms like embedded browser frameworks. MITM intercepts data exchanges between users and servers in real time to gather credentials — behavior that Google can’t differentiate from legitimate sign-in attempts.
June 5th: The AI Audit in NYC
Join us next week in NYC to engage with top executive leaders, delving into strategies for auditing AI models to ensure fairness, optimal performance, and ethical compliance across diverse organizations. Secure your attendance for this exclusive invite-only event.
As an alternative to embedded browser frameworks, Google is suggesting that developers use browser-based OAuth authentication, which enables users to see the full address of the page where they’re entering their credentials. “If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today,” Skelker said.
Today’s announcement comes roughly two years after Google restricted sign-ins using web views, or browsers bundled within mobile apps. In a related development in February, Google said that it was actively testing improved phishing- and malware-filtering models within Gmail, and claimed that it’s now blocking more than 100 million more spam emails a day.
