Google wants to curb phishing by blocking embedded Chrome logins
Man in the middle attacks are a major concern when it comes to protecting login credentials online, and Google is looking to better protect against them in Chrome. The company has announced that later this year, it will begin blocking logins from embedded browsers, like the Chromium Embedded Framework. This will give end users more safety against phishing, but it also might make things a little more inconvenient.
If you've ever had to open Chrome from within another app, it's likely you've used Chromium Embedded Framework. Essentially, Chromium allows developers to open up a browser instance within their apps, which is useful for when users need to sign into their Google accounts. For instance, if you play a mobile game that supports Google Play logins, that game will open up a Chromium instance to allow you to quickly sign into your account.
Embedded browser frameworks are nice because users don't need to open up their phone's browsers just to handle a login or follow a link, but Google says in a post to its security blog that logins carried out through embedded browsers are vulnerable to man in the middle attacks. Google says that this form of phishing is "hard to detect" within embedded browser frameworks, which means that Google's security measures can't always prevent malicious third-parties from intercepting login credentials as they're submitted.
The solution to this problem is a pretty straightforward one: Google has revealed that it will begin blocking embedded browser logins beginning in June. The company tells developers who are using embedded browser frameworks for logins to switch to browser-based OAuth authentication.
Not only will this make logins less susceptible to man in the middle attacks, but Google points out that it also shows users the full URL of the page they're visiting, which further protects against phishing. Google hasn't set a precise date for the end of embedded browser logins, but it's encouraging developers to make the switch to OAuth today.