Security news that informs and inspires

Google Moves Developers to OAuth to Help Prevent Phishing Attacks


In an effort to cut off an avenue used in some phishing attacks, Google is planning to block authentication attempts from some apps that use embedded browser frameworks in the near future.

The change is part of a broader initiative by the company to get a better handle on when and how legitimate users sign in, which in turn allows engineers to determine what inauthentic sign-in attempts look like. In 2018 Google began requiring that users enable JavaScript in their browsers when they sign in so that the company’s automated systems can check the device and other factors to determine whether the sign-in attempt is legitimate. In June, Google is planning to prevent individuals from signing in to its services through embedded browser frameworks, such as the Chrome Embedded Framework.

Google is hoping the move will help stop some forms of man-in-the-middle (MITM) attacks, which adversaries use as a way to capture credentials and then sign in to victims’ accounts. There are any number of different MITM attacks, but they all rely on the ability to establish a position between the victim and the service she is trying to log into.

“MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June,” Jonathan Skelker, a product manager for account product security at Google said in a post announcing the change.

As old and well-researched as it is, phishing is still one of the more effective techniques for adversaries looking to steal user credentials. Many of the phishing campaigns that circulate these days are highly professional and are based on considerable reconnaissance and understanding of the target organization or group. Modern phishing emails now often include details that are specifically tailored for a given victim and come with attachments that look completely legitimate. These are not the desperate, amateurish emails pleading for money to get out of London or offering millions of dollars from an African prince. Phishing is big business, and a highly effective tactic for cybercrime groups and nation-state attackers alike.

Google’s move means that apps that use embedded browser frameworks will need to find a new way to enable users to sign in to their Google accounts. Embedded browser frameworks are simplified versions of mobile browsers designed to enable app developers to include a subset of browser functionality. Apps that make use of them will hit a wall with Google in a few weeks, and the way around that wall is with OAuth, Skelker said.

“The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” he said.

OAuth is a protocol used for federated authentication in many mobile apps, enabling individuals to authenticate to a service by using their credentials from a third-party service, such as Google or Facebook.

CC By-SA license photo from Carlos Luna.