Dims

Embedded browsers within apps can be useful if you want to use an existing account from another service -- say, your Gmail log-in -- to access their features. However, they're also really easy to weaponize for man-in-the-middle types of phishing attacks. Since Google can't differentiate between a legitimate log-in and a phishing attempt through a browser from within an application, it's blocking sign-ins from all embedded browser frameworks starting in June.

Bad actors can exploit embedded browsers, such as Chromium Embedded Framework, by intercepting communications between the user and providers like Google. The method gives them a way to steal log-in credentials, sometimes even multi-factor authentication details, in real time. Google has been implementing more security measures around log-ins in recent months in an effort to protect users' details. In late 2018, for instance, it launched a risk-assessment feature that requires JavaScript to be able to sign into your account.

The link for this article located at Engadget is no longer available.