Google bans embedded in-app sign-ins to curb phishing attacks

0
3

Google will soon block in-app embedded browser logins to fight against phishing attacks. Image: Thomas Trutschel/Photothek via Getty Images By Matt Binder2019-04-19 15:16:37 UTC

Google is taking a big step to fight phishing attempts on its users.

In a post on the company’s security blog, Google’s Product Manager of Account Security Jonathan Skelker announced that the search giant will begin to block account sign-ins from embedded browsers within applications.

The problem with embedded browsers, as Skelker lays out, is that it leaves Google’s users susceptible to phishing attacks from bad actors. 

Previously, third-party developers could add web browser instances, like the Chromium Embedded Framework, to their apps. This allowed users to log into a service with their existing Google account without having to sign-up for a fresh account on a brand new platform.

While embedded browsers may have made it easy for an app user to sign-up or login, it also made it just as simple for a hacker to carry out a man-in-the-middle phishing attack. Malicious actors could use embedded browser frameworks to essentially eavesdrop on an unsuspecting user and steal their login credentials.

Unfortunately, Google can’t differentiate between legitimate sign-ins and a phishing attack through embedded browser frameworks.