Google says it is going to block embedded browser sign-ins across all its services starting in June. The company says it is difficult to differentiate when an embedded browser is used legitimately, or for phishing purposes. To avoid any problems, the company will simply deny access to its services on embedded browser.
If you are unfamiliar with the term embedded browser, they are common amongst developers. Applications use embedded browsers that allow you to sign-in to a service directly within the app. For example, a Gmail log-in to sign-up for a service.
The problem is these embedded browsers are a soft target for cybercriminals, especially for building phishing attacks. Hackers can easily exploit Google's Chromium Embedded Framework by hijacking the communication link between the user and Google.
Bad actors can use this method to access user log-in credentials in real-time. Google has fought against this easy backdoor with strict security measures surrounding log-in to its services. However, the company has decided to simply kill support entirely.
“MITM (man on the middle) intercepts the communications between a user and Google in real-time to gather the user's credentials (including the second factor in some cases) and sign in. Because we can't differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June.”
Starting in June, when looking to sign-in to a Google account, the app will send you to your default browser. In a note, the company says developers should move their apps to OAuth authentication. This shows the URL of the page and can help to avoid phishing attacks.