Posted by Lillan Marie Agerup, Product Manager
We are always working to improve security protections of Google accounts. Our security systems automatically detect, alert and help protect our users against a range of security threats. One form of phishing, known as “man-in-the-middle”, is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework - CEF) or another automation platform is being used for authentication. MITM presents an authentication flow on these platforms and intercepts the communications between a user and Google to gather the user’s credentials (including the second factor in some cases) and sign in. To protect our users from these types of attacks Google Account sign-ins from all embedded frameworks will be blocked starting on January 4, 2021. This block affects CEF-based apps and other non-supported browsers.
To minimize the disruption of service to our partners, we are providing this information to help developers set up OAuth 2.0 flows in supported user-agents. The information in this document outlines the following:
- How to enable sign-in on your embedded framework-based apps using browser-based OAuth 2.0 flows.
- How to test for compatibility.
Apps that use embedded frameworks
If you're an app developer and use CEF or other clients for authorization on devices, use browser-based OAuth 2.0 flows. Alternatively, you can use a compatible full native browser for sign-in.
For limited-input device applications, such as applications that do not have access to a browser or have limited input capabilities, use limited-input device OAuth 2.0 flows.
Modern browsers with security updates will continue to be supported.
The browser must not proxy or alter the network communication. Your browser must not do any of the following:
- Server-side rendering
- HTTPS proxy
- Replay requests
- Rewrite HTTP headers
The browser must have a reasonably complete implementation of web standards and browser features. You must confirm that your browser does not contain any of the following:
- Headless browsers
- Text-based browsers
The browser must identify itself clearly in the User-Agent. The browser must not try to impersonate another browser like Chrome or Firefox.
The browser must not provide automation features. This includes scripts that automate keystrokes or clicks, especially to perform automatic sign-ins. We do not allow sign-in from browsers based on frameworks like CEF or Embedded Internet Explorer.
Test for compatibility
If you're a developer that currently uses CEF for sign-in, be aware that support for this type of authentication ends on January 4, 2021. To verify whether you'll be affected by the change, test your application for compatibility. To test your application, add a specific HTTP header and value to disable the allowlist. The following steps explain how to disable the allowlist:
- Go to where you send requests to
Google-Accounts-Check-OAuth-Login:trueto your HTTP request headers.
The following example details how to disable the allowlist in CEF.
Note: You can add your custom headers in
To test manually in Chrome, use ModHeader to set the header. The header enables the changes for that particular request.
Setting the header using ModHeader
See our previous blog post about protection against man-in-the-middle phishing attacks.