Stories
Slash Boxes
Comments

SoylentNews is people

Google Will Begin to Block Sign-Ins From Embedded Browser Frameworks in June

posted by janrinok on Saturday April 20 2019, @05:59PM   Printer-friendly
from the javascript==security dept.

MrPlow writes:

Submitted via IRC for ErkleLives

Phishing — schemes to nab personal data with disguised malicious webpages and emails — constituted more than 70% of all cyber attacks in 2016, according to a Verizon report. In an effort to combat them, Google last year announced it would require users to enable JavaScript during Google Account sign-in so that it could run attack-detecting risk assessments, and today, the company said it'll begin to block all sign-ins from embedded browser frameworks like Chromium Embedded Framework starting in June.

For the uninitiated, embedded browser frameworks enable developers to add basic web browsing functionality to their apps, and to use web languages like HTML, CSS, and JavaScript to create those apps' interface (or portions of it). They're typically cross-platform — Chromium Embedded Framework runs on Linux, Windows, and macOS — and they support a range of language bindings.

"We're constantly working to improve our phishing protections to keep your information secure," account security product manager Jonathan Skelker wrote in a blog post. "This is yet another layer of protection on top of existing safeguards like Safe Browsing warnings, Gmail spam filters, and account sign-in challenges."

[...] As an alternative to embedded browser frameworks, Google is suggesting that developers use browser-based OAuth authentication, which enables users to see the full address of the page where they're entering their credentials. "If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today," Skelker said.

Source: https://venturebeat.com/2019/04/18/google-will-begin-to-block-sign-ins-from-embedded-browser-frameworks-in-june/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Google Will Begin to Block Sign-Ins From Embedded Browser Frameworks in June | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by jb on Sunday April 21 2019, @05:26AM

    by jb (338) on Sunday April 21 2019, @05:26AM (#832859)

    The real problem of course is that the sites being targeted by the phishers forced their users to enable the javascript bug feature in their browsers in the first place.

    Google adding their voice to that cacophony of negligent security advice is only making the problem worse.

    Users: if you let your browser run arbitrary untrusted code from anywhere, that's exactly what it's going to do. Don't be surprised when it does.

    Webmasters: if you wilfully or negligently advise your users that it's safe to do something that by definition isn't, then go as far as requiring them to do that thing if they want to access your site at all, then you are actively aiding and abetting the phishers. It is only a matter of time before the honest people of the world find a way to hold you legally liable for that.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3