8

I received an email from google We're writing to let you know that we detected the use of an embedded webview in requests to Google's OAuth 2.0 authorization endpoint in the past 120 days associated with one or more of your OAuth client IDs listed in this email.

  1. Our site is only a web application (smodin.io)

  2. We've been using google auth for many months, beyond the 120 day period; according to this post from google we should have been notified months ago (we also have a dev environment that hasn't received the same email).

  3. I've received emails in the past from spam security bounties about avoiding iframe hijacking for login and I'm not sure if it's related. I had been advised it wasn't actually a concern.

How might I find out where this embedded webview is coming from? (and any related security concern it could be coming from)

Our setup: Firebase auth (google and email/PW login) and next JS (reactjs).

PS: This is ~identicial to Google OAuth 2.0 client ID authorization via embedded webview but no sufficient answer was received because it was originally asked in a poor way I think.

Kevin Danikowski
  • 4,620
  • 6
  • 41
  • 75
  • 1
    Random guess, but maybe here: https://play.google.com/store/apps/details?id=com.smodin.info.paraphrase&hl=en_GB&gl=US ? – Blundell Mar 28 '23 at 16:47
  • @Blundell that's been there for a long time, I've been trying to take them down due to trademark infringement and haven't had success. That was a great guess tho! it's been around much longer and says last update was over 6 mo ago – Kevin Danikowski Mar 28 '23 at 16:49
  • 1
    ah ok, so same name - but they don't wrap your site in the app at all? – Blundell Mar 28 '23 at 16:51
  • So I just looked, and no, but it's kinda funny: it basically just tells you how to use our site XD – Kevin Danikowski Mar 28 '23 at 16:58
  • 1
    Same exact email received by us. We use FirebaseJS SDK... nothing is done directly from our side, really confusing email with all materials that they direct us to having 0 actionable insights except more link to nebulous resources. – eMTy Mar 28 '23 at 17:01
  • We received a similar email. Are you just using Google for SSO or to acquire tokens? Could this issue be if someone navigated to the site from a non-native browser in a mobile device and tried to SSO that through that web viewer? – alex Mar 28 '23 at 17:27
  • We don't use SSO, just email/pw and google @alex – Kevin Danikowski Mar 28 '23 at 17:44
  • We also received the email. I'm assuming someone received a link to our app via a messaging app with a built-in browser, for example Line. – ivo Mar 28 '23 at 20:15
  • @ivo a link to your app is enough? or you're saying within the message app your login screen was opened, and this caused this alert to go off? – Kevin Danikowski Mar 29 '23 at 00:42
  • @KevinDanikowski Yes, I think someone probably touched the link and it opened in the message app's browser and then they tried to do a google auth. – ivo Mar 29 '23 at 01:31
  • Did anyone found any solution? have received the same email – Md Javed Akhtar Mar 30 '23 at 13:05
  • From the comment above, I think it's not really a big deal, i think it's just some random app loading; as long as you only have a web app, i don't think you'll need to take any action (don't take my word for it, but that's my guess) – Kevin Danikowski Mar 30 '23 at 22:51

2 Answers2

2

You can use Google Analytics to get some clues. You can filter by the Browser called "Android Webview".

In my case I found out that it was mainly social traffic coming from third party apps, like Facebook and LinkedIn. I'm still trying to find a solution because obviously I have no control of those apps.

Luis Rodriguez
  • 355
  • 3
  • 7
1

This error is happening when you use Google SSO in a non-native browser app. I was able to reproduce it by opening our Site in a non-native mobile app (I opened it through Facebook messenger’s browser). When I tried to SSO with Google I received the following screenshot.

Here is Google’s documentation around this: https://developers.google.com/identity/protocols/oauth2/web-server#authorization-errors-disallowed-useragent

enter image description here

alex
  • 444
  • 1
  • 5
  • 17
  • This doesn't exactly answer where it the error came from to me, but it's very helpful to know you can reproduce it with this method. – Kevin Danikowski Apr 05 '23 at 12:35