Google Won't Let You Sign In If You Disabled JavaScript In Your Browser

An anonymous reader quotes a report from ZDNet: Google announced today four new security features for securing Google accounts. These four updates are meant to bolster protections before and after users sign into accounts, but also in the case of recovering after a hack. According to Google's Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password. In the coming future, Skelker says that Google won't allow users to sign into accounts if they disabled JavaScript in their browser. The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected. This change is likely to impact only a very small number of users -- around 0.01 percent according to Google's data -- but it will likely impact bots harder, as many of them run through headless browsers where this feature is turned off for performance reasons. Google also plans to pull data from Google Play Protect and list all malicious apps that are still installed on a user's Android smartphone. Google's Jonathan Skelker says they will be notifying you "whenever you share any data from your Google Account," expanding on the notifications it sends when you've granted access to sensitive information, like Gmail data or your Google Contacts.

"Last but not least is a security feature that Google plans to use after an account hack," reports ZDNet. "This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles. The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account."

This negatively impacts alternative browsers

[xack]

Especially text browsers that don't support javascript often used by people with disabilities.

Re:This negatively impacts alternative browsers

EVERY new development these days does exactly this.

RSS is being taken away because advertisers don't get enough information about our reading habits.

Our privacy and ability to customize our own computer is removed in Windows 10.

Every useless phone app phones home with all our personal information and no one does a thing about it.

We are well past 1984.

Re:Only .01%?

Probably because anyone paranoid (rightfully) about JS is even more skeptical of intentionally storing information with Google.

Re:Only .01%?

[jellomizer]

You can only really trust Javascript as much as you trust the page creators.

Sure turn off Javascript for your random browsing, but if you are going to a site, where your personal info and needs to log into with... Then you might as well have it enabled. Because your data is already compromised, and you are just missing out on features which may make your browsing a bit easier.

Re:It's 1st of November, not April

[jellomizer]

I commonly use Javascript to Ajax Call and get a new session key a few times a minute. I do this so if someone did a screen/varable/back button capture of the page, they wouldn't be able to use that data without authentication. If it tries to renew an expired key, it brings you back to the login screen, and additional data will not be read or saved with an invalid key.
Is it fool proof, no, is this all I am doing for security No. but it is putting an extra layer of security that wasn't there before. It is the equivalent of not hiding the key under the welcome map.
So yes you can use Javascript to increase security.

Re:It's 1st of November, not April

Something seems to be badly broken in the brains of the people behind this.

Not when you realize that Javascript is primarily about user-tracking, not functionality or "safety". Those are the ways to sell it to the dumb masses. Google's is a mass surveillance company, and javascript allows much better tracking of people as they use and move around the web.

Requiring it is completely consistent with Google's business goals of knowing everything about everybody.

DUH!

[freeze128]

Since google's services like gmail, maps, and docs all REQUIRE javascript anyway, you will need to allow javascript in order for those to even work. If you're logging into another service using your google account, then that's where things become sketchy. Of course you can just allow the google domains required for the login using something like noscript or uMatrix.

I just logged into gmail, and didn't allow gstatic.com and googleusercontent.com and it allowed me to log in. Of course, without gstatic, I couldn't log out. :)

Re:It's 1st of November, not April

[squiggleslash]

I'm about 90% sure that most security vulnerabilities involved plugins, Flash being the biggest offender but also with problems in plugins that should know better like Java. And, of course, there's ActiveX, plus the ability to download .exes or MSIs and tell people they're OK honest and you should have it because it installs this awesome toolbar.

I don't recall seeing many Javascript vulnerabilities. The only serious ones I can think of are:

1. There are a few XSS vulnerabilities that have popped up from time to time. While initially the browser makers blamed the webdevs for this, they've tightened up the scope for XSS attacks to make them extremely difficult over the years.
2. One of the CPU branch-prediction bugs from last year was exploitable via JS, I forget which but IIRC it was the less severe one and was still pretty close to impossible to exploit in a real world scenario (yes, you could build a carefully constructed proof of concept where you knew exactly what browser was being used on a specific CPU on a specific version of a specific operating system with specific versions of specific shared libraries installed, but outside of that it was hard to exploit.

Ultimately any web technology can be poorly implemented in such a way that it'll lead to exploits. I wouldn't be remotely surprised to hear, even today, of a buffer overflow bug in a GIF or HTML parser. Disabling JS seems like poor security to me, it reduces the attack surface, sure, but so does disabling images, and like the latter it means most modern web pages aren't going to work properly.

Re:Only .01%?

[lgw]

Sure turn off Javascript for your random browsing, but if you are going to a site, where your personal info and needs to log into with... Then you might as well have it enabled. Because your data is already compromised,

Fun fact: web sites often contain content originating from more than one company. You might trust the people you're giving your info to, but is there an ad anywhere on their web site? Heck, even banks run web content from "partners" these days.

Re:Good

Google is looking for something else.

Hits the nail on the head. Yes, it's about security. And privacy. And for Google it's about collecting more data, regardless of the risks to you.

The push toward JS overkill is rejecting the golden rule of web design: Make sure your page degrades gracefully and don't tell visitors that your site is "best viewed in last week's version of Chrome or Firefox".

I actually see an increasing number of pages that pull in a dozen external scripts to add pizzazz, then also use noscript tags. But they're only using the noscript tags to make sure that people with script disabled still get a tracking pixel, while the page itself is actually broken without script!