Jump to content
Login new information ×
Login new information

Google won't let you sign in if you disabled JavaScript in your browser

nir

By nir
in Security & Privacy News

Recommended Posts

nir

nir

Posted
Posted

Google announces for new security features to protect Google accounts.

 

Google announced today four new security features for securing Google accounts. These four updates are meant to bolster protections before and after users sign into accounts, but also in the case of recovering after a hack.

 

According to Google's Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password.

 

In the coming future, Skelker says that Google won't allow users to sign into accounts if they disabled JavaScript in their browser.

 

The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected.

 

This change is likely to impact only a very small number of users --around 0.01 percent according to Google's data-- but it will likely impact bots harder, as many of them run through headless browsers where this feature is turned off for performance reasons.

google-javascript-login-alert.png

Image: Google

The second new security feature is related to malicious Android apps that users might have installed on their phones.

Google plans to pull data from Google Play Protect, a security scanner included with the official Google Play Android app, and list all malicious apps that are still installed on a user's Android smartphone.

 

This information will be shown inside the Google Security Checkup section of a Google account in the coming weeks, although this reporter believes this information should be plastered on a user's screen right after he logs into his Google account so that the user can take action as soon as possible.

google-malicious-app-notification.png

Image: Google

The third new feature is related to third-party apps and websites that a user has granted permission to access Google account data in the past.

 

"We already notify you when you've granted access to sensitive information -- like Gmail data or your Google Contacts -- to third-party sites or apps, and in the next few weeks, we'll expand this to notify you whenever you share any data from your Google Account," Skelker explained today in a blog post.

 

Just like the previous feature, Google plans to list all the third-party apps and websites that gained access to a user's Google data in the soon-to-be-very-crowded Security Checkup section.

google-malicious-app-accessing-data.png

Image: Google

Last but not least is a security feature that Google plans to use after an account hack. This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles.

 

The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account.

 

This GIF shows a preview of how this new account recovery process works, without you having to trigger one just to find out how it works.

 

Source

Link to comment
Share on other sites
  • Replies 11
  • Views 1.3k
  • Created
  • Last Reply
sanjoa

sanjoa

Posted
Posted

🙄 but browsers are not supporting JavaScript anymore, ex. Chrome or Firefox :dunno:

Link to comment
Share on other sites
steven36

steven36

Posted
Posted
41 minutes ago, sanjoa said:

🙄 but browsers are not supporting JavaScript anymore, ex. Chrome or Firefox :dunno:

You must mean  Java that's not the same thing

https://www.htmlgoodies.com/beyond/javascript/article.php/3470971/Java-vs-JavaScript.htm

 

And nowhere i know I ever been will let you sign in if you disable JavaScript if you sign in..Most of the time if you sign in it means you trust the site enough to allow JavaScript. Disabling JavaScript breaks signing in on most sites.

 

How to enable JavaScript in your browser
 

Quote


Nowadays almost all web pages contain JavaScript, a scripting programming language that runs on visitor's web browser. It makes web pages functional for specific purposes and if disabled for some reason, the content or the functionality of the web page can be limited or unavailable. Here you can find instructions on how to enable (activate) JavaScript in five most commonly used browsers.

 

instructions

https://www.enable-javascript.com/

Link to comment
Share on other sites
  • Administrator
DKT27

DKT27

Posted
  • Administrator
Posted

Topic moved to Security and Privacy News. While the issue is related to browsers which is a software, this news overall is about security issues I think.

 

@steven36 beat me to answering it. :P

Link to comment
Share on other sites
Kalju

Kalju

Posted
Posted

If you have disabled JavaScript, you have no point to go to the internet no more...most of the things and features will not work any more.
Disabling JavaScript does not protect anyone and in any way, rather the effect is the opposite. JavaScript is not at all guilty of a reduction in the level of awareness of people every day.
There is one interesting law in nature - if you want that you be believed, you have to lie. And that You can see everyday and everywhere.

Link to comment
Share on other sites
sanjoa

sanjoa

Posted
Posted
34 minutes ago, steven36 said:

You must mean  Java that's not the same thing

https://www.htmlgoodies.com/beyond/javascript/article.php/3470971/Java-vs-JavaScript.htm

 

And nowhere i know I ever been will let you sign in if you disable JavaScript if you sign in..Most of the time if you sign in it means you trust the site enough to allow JavaScript. Disabling JavaScript breaks signing in on most sites.

 

How to enable JavaScript in your browser
 

instructions

https://www.enable-javascript.com/

 

:oops: I've messed up between Java & JavaScript.

Link to comment
Share on other sites
steven36

steven36

Posted
Posted
46 minutes ago, sanjoa said:

 

:oops: I've messed up between Java & JavaScript.

I most of the time only block JavaScript on 3rd party sites with uMatrix unless there's a reason i need to block it . With uMatrix  there is lot of scripts it block that esset detects and if you don't block the 3rd party scripts esset wont let you on the website . But as far as 1st party JavaScript you need that on most sites  ... There is some that don't need Java script  if you don't mind not having full function of the site .

Link to comment
Share on other sites
Karlston

Karlston

Posted
Posted

Google users who have disabled JavaScript in the browsers that they are using to browse the Internet won't be able to sign-in to their Google accounts anymore soon unless they enable JavaScript for the login process.

 

Google announced yesterday that it will make JavaScript mandatory on sign-in pages and that it will display a "couldn't sign you in" message to users who have it disabled.

couldnt sign-you in

Internet users disable JavaScript for a number of reasons and most are well aware of the issues associated with that. A browser extension like NoScript blocks JavaScript execution by default to improve user privacy and security on the Internet.

 

Scripts don't run without JavaScript which reduces or even eliminates tracking, advertisement and malicious attacks.

 

Websites may load faster and users may save bandwidth if JavaScript is disabled or blocked in the browser. Some sites, however, will break if JavaScript is disabled as they use scripts for some or even all functionality provided.

 

Google explains that it wants to run a risk assessment during sign-in to Google accounts and that it requires JavaScript for that.

When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious. We’re always working to improve this analysis, and we’ll now require that JavaScript is enabled on the Google sign-in page, without which we can’t run this assessment.

The company goes on to explain that only 0.01% of Internet users run browsers in which JavaScript is disabled. While Google does not mention it explicitly, most bots on the Internet run with JavaScript disabled to improve performance and avoid detection mechanisms.

 

Google announced the launch of reCAPTCHA version 3 recently which promises to do away with annoying captchas by running risk assessments and giving sites control over what happens when scores below a set threshold are given.

 

Google changed the sign-in process in 2013 from the traditional username and password form to a multi-page form. The company enabled a link between sign-ins in its Chrome web browser and Google services on the Internet in 2018.

Closing Words

Some may suggest that Google's motivation for making JavaScript a requirement for account sign-ins is not based entirely on the desire to better protect Google accounts from login-related attacks. Google is an advertisement company first and foremost, and the bulk of advertisement on the Internet relies on JavaScript.

 

Source: Google sign-ins will require JavaScript soon (Ghacks - Martin Brinkmann)

Link to comment
Share on other sites
Rekkio

Rekkio

Posted
Posted

That's a bad decision making from Google, they have a mission-critical system that is confirmed to work without issues and doesn't need JavaScript.

But somehow they now want to tamper with a working mission-critial system that already works fine and add a dependency that was not required before.

 

So their login system will move from confirmed working to potentially not working, along with new requirements for testers and developer time.

These developers will have to rewrite a complex operational system that just doesn't need to be tampered with and cans be left as-is just as well.

 

I see no reason to rewrite something that is confirmed to work and operates without issues, unless you want to run anti-user scripts client-side.

Link to comment
Share on other sites
Karlston

Karlston

Posted
Posted
On 11/1/2018 at 11:32 AM, DKT27 said:

Topic moved to Security and Privacy News. While the issue is related to browsers which is a software, this news overall is about security issues I think.

 

I couldn't decide between the two forums. I picked the wrong one. :)

Link to comment
Share on other sites
dcs18

dcs18

Posted
Posted

Apart from the new JavaScript policy, there are another couple of points that I discovered — WRT Cookies and the element Other.

 

Cookies

Users of the Firefox add-on, Self-Destructing Cookies might recognize the fact that Google components have always worked with cookies configured to "self-destruct after the Google tabs were closed" (red icon) — recently however, Google fails to work with my above-mentioned policy and needs Self-Destructing Cookies to be configured to "self-destruct only after the browser is closed" (yellow icon.)

 

Other

The Other element is another web element quite similar to the JavaScript element being discussed on this thread — on Google pages, the Other element needs to load before the JavaScript element can even begin to load. The point being that . . . . . components of Google now, won't work if the Other element is blocked.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...