Google adds better protection against man-in-the-middle attacks

As reported in a blog post, Google is taking steps to increase protection against man-in-the-middle attacks. The steps specifically relate to logins from embedded browser frameworks as the company will, starting in June, block all such embedded logins in their products. As of now, developers can utilize embedded browser frameworks to create browsing features in their applications. This allows for the potential of a man-in-the-middle attack via a phishing attack that employs exploitation of JavaScript in the frameworks.

Google product manager of account security Jonathan Skelker, the author of the blog post, describes the process as follows:

‘Man in the middle’ (MITM) is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework — CEF) or another automation platform is being used for authentication). MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.

The post notes that developers need not worry too much about the changes taking place. The reason for this is that Google is using the following fix:

The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.

It will be interesting to see how this change affects the prevalence of man-the-in-middle attacks in Google products. Regardless, it is nice to see Google taking more initiative with its security protocols as they have been embattled for quite some time (thanks to Play Store malware and other issues).

Featured image: Flickr/Carlos Luna

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Best programming languages to learn in 2020

Every hour you spend learning to code will pay off big. But which are the best programming languages to learn?…

6 hours ago

Endpoint security best practices and policies to mitigate risks

Failure to adequately secure endpoints can have catastrophic results. Here’s a look at the most important endpoint security best practices.

11 hours ago

Simplifying complex networks: A guide for enterprises

As networks grow in technological capabilities, they are harder to manage. Here are some tools for simplifying complex networks that…

14 hours ago

Managing Azure firewall and virtual networks with PowerShell

Here’s how to manage firewall and virtual networks in a Storage Account and how to use Azure Automation to enforce…

1 day ago

Microsoft exposed 250 million users’ private records in December

Microsoft exposed roughly 250 million customer service and support records last month. While the company says it secured all servers,…

1 day ago

Keep a lid on your AWS cloud goodies with breach and attack simulation

If you store business data in the AWS cloud, you need to secure it against unauthorized access. A breach and…

2 days ago