Google made it mandatory late last year for users to sign in to their account with JavaScript enabled on their web browser so that it would be able to assess risks in real time. The ultimate goal was to protect users from phishing attacks, in particular, by blocking the sign-in process if Google's security system detects suspicious activity in it.
However, the threat landscape undeniably continues to expand and Google is well aware of the need for its security measures to adapt as well. That is why, beginning in June, it will no longer allow sign-ins from embedded browser frameworks, Jonathan Skelker, Product Manager for Account Security at Google, announced in a blog post.
This particular measure is meant to address the growing threat posed by a certain type of phishing scheme known as a man-in-the-middle (MITM) attack. For the uninitiated, bad actors use MITM to scrape user data by intercepting real-time messages passing between the victim and another party - like Google, for example.
The search giant admits that it is difficult to detect this kind of attack when the verification process is conducted on an embedded browser framework like the Chromium Embedded Framework. So, the company has decided it has no other option but to block sign-ins from such frameworks.
The upcoming change is the latest in Google's efforts to fight phishing attacks. In May 2017, it bolstered its anti-phishing and spam tools to detect suspicious items with what it claimed to be 99.9% accuracy. Earlier that month, Google also updated its approach to the publishing process for web apps that request user data after a phishing scam made the rounds via a Google Docs file.
5 Comments - Add comment