Submitted via IRC for ErkleLives
Phishing — schemes to nab personal data with disguised malicious webpages and emails — constituted more than 70% of all cyber attacks in 2016, according to a Verizon report. In an effort to combat them, Google last year announced it would require users to enable JavaScript during Google Account sign-in so that it could run attack-detecting risk assessments, and today, the company said it'll begin to block all sign-ins from embedded browser frameworks like Chromium Embedded Framework starting in June.
For the uninitiated, embedded browser frameworks enable developers to add basic web browsing functionality to their apps, and to use web languages like HTML, CSS, and JavaScript to create those apps' interface (or portions of it). They're typically cross-platform — Chromium Embedded Framework runs on Linux, Windows, and macOS — and they support a range of language bindings.
"We're constantly working to improve our phishing protections to keep your information secure," account security product manager Jonathan Skelker wrote in a blog post. "This is yet another layer of protection on top of existing safeguards like Safe Browsing warnings, Gmail spam filters, and account sign-in challenges."
[...] As an alternative to embedded browser frameworks, Google is suggesting that developers use browser-based OAuth authentication, which enables users to see the full address of the page where they're entering their credentials. "If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today," Skelker said.
(Score: 1, Insightful) by Anonymous Coward on Saturday April 20 2019, @06:54PM (1 child)
Seriously, how could they enforce this? I suppose they could do it by blocking the user agent, but we've seen how well that works for Cisco and Curl. The big problem is that with CEF, the black hat has complete control of the framework used, which means they can alter headers at will and monkey patch whatever they want. This sounds like they are doing something with big words lay people won't understand, but aren't actually doing anything of value.
(Score: 0) by Anonymous Coward on Sunday April 21 2019, @12:41AM
Well, they are raising the bar for script kiddies a bit. But then again, it won't be too long until the kits are updated to change the headers and stuff, like you said. In addition, script kiddies aren't real problem, it's the professionals who really know what they are doing.
(Score: 2, Interesting) by zoward on Saturday April 20 2019, @08:28PM
I wonder how this will affect browsers like Falkon, which are basically wrappers around QtWebEngine, which is basically a wrapper around Chrome's Blink rendering engine ... especially if it passes the user agent string of one of the more common browsers that user the same engine. It doesn't have to be Chrome, how about Edge? Or Opera?
I'm gonna have to play with this for awhile.
(Score: 5, Touché) by SomeGuy on Saturday April 20 2019, @08:31PM (7 children)
For your security... riiiigh. Can't possibly have to do with adding advertising or other retarded crap, can it.
(Score: 3, Informative) by darkfeline on Saturday April 20 2019, @08:44PM (4 children)
There are no ads on the sign-in page. Since the authentication system is probably shared between consumer accounts and enterprise accounts, it's not even possible from a data ownership perspective to do that.
Join the SDF Public Access UNIX System today!
(Score: 1, Funny) by Anonymous Coward on Saturday April 20 2019, @09:03PM
That's what they want you to think. The fact is that they are showing subliminal ads every 27th screen refresh.
(Score: 1, Funny) by Anonymous Coward on Sunday April 21 2019, @03:46AM
One of the first things you learn in marketing... advertising is ALWAYS possible.
Besides, it's got what plants crave!
(Score: 2) by fyngyrz on Sunday April 21 2019, @11:56AM (1 child)
Fine. But you have to have javascript enabled. Unless there is a mechanism that only enables javascript on the sign-in page, the problem isn't limited to the sign-in page, it applies to every other page you visit.
It's a bit much to expect the user to enable and disable javascript going into and out of the sign-in page, isn't it?
--
It's not really how I look that reveals my age.
It's using complete sentences when I text.
(Score: 2) by darkfeline on Sunday April 21 2019, @09:28PM
If you have javascript globally disabled, why even bother logging in to Google? I don't think there's a single service you can use without javascript enabled. Maybe the legacy HTML Gmail view? But then you may as well use POP/IMAP and a local client.
Join the SDF Public Access UNIX System today!
(Score: 3, Insightful) by jb on Sunday April 21 2019, @05:26AM
The real problem of course is that the sites being targeted by the phishers forced their users to enable the javascript
bugfeature in their browsers in the first place.Google adding their voice to that cacophony of negligent security advice is only making the problem worse.
Users: if you let your browser run arbitrary untrusted code from anywhere, that's exactly what it's going to do. Don't be surprised when it does.
Webmasters: if you wilfully or negligently advise your users that it's safe to do something that by definition isn't, then go as far as requiring them to do that thing if they want to access your site at all, then you are actively aiding and abetting the phishers. It is only a matter of time before the honest people of the world find a way to hold you legally liable for that.
(Score: 1) by ShadowSystems on Monday April 22 2019, @01:26AM
Given I've turned off *all* scripting of any kind, the fact that Google or anyone would claim to require JS for my safety makes me laugh.
I value my safety which is why I refuse to let that crap in the door.
My old bank changed the site so it now requires JS to function, and I lost count of the number of times I emailed them with links to articles showing exactly how brain dead that was.
I finally switched banks rather than enable JS to log in to their site, so if I'm not willing to enable it for my (now ex) bank, what chance in hell do you think anyone else has of forcing me to do it either?
My new bank doesn't require it & maintains HTTPS just fine, so I feel rather smug.
Dear site providers. Stop using scripts. It just makes your site a turd that doesn't take a polishing & puts lipstick on the wrong end of the pig.
(Score: 2) by Gaaark on Sunday April 21 2019, @12:04AM (1 child)
They've stopped me from using openwmail(sp?) to access my Gmail: openwmail is so much faster.
DENIED!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Insightful) by Anonymous Coward on Sunday April 21 2019, @12:36AM
Yeah, that sucks. And the official answer from Google has been "the situation is under review," since March 20th. I wouldn't hold my breath after this development though. There are workarounds though, but it might require a heavy rewrite of the authentication system.
(Score: 0) by Anonymous Coward on Sunday April 21 2019, @07:13AM
Half price today!