Google is going to block logging in via embedded browsers

Google is going to block the ability to log in via embedded browsers. As of June, logins via embedded browser frameworks will no longer work. The company wants to protect users against man-in-the-middle attacks.

Google announced the measures on Friday. The company will block login methods via the Chromium Embedded Framework in the future. Developers can use that to implement an embedded login for Google accounts in their applications. Users can then log into the app without being redirected to the browser. Applications like Steam or Feedly use that feature.

According to Google, such frameworks leave users vulnerable to man-in-the-middle attacks. The company cannot verify whether this is a legitimate login or a phishing attack. With the latter, an attacker can steal login credentials, and even obtain two-step verification codes if the victim uses SMS.

Google has been working to better protect logins for some time now. For example, since last year it has been mandatory to enable JavaScript when logging in, so that the company can better monitor the login process.

Google recommends developers move to OAuth in-browser authentication as their login method. According to Google, this also allows users to immediately see the URL of a login page so that they can better protect themselves against phishing. The measure will take effect from June.