Google Won't Let You Sign In If You Disabled JavaScript In Your Browser

An anonymous reader quotes a report from ZDNet: Google announced today four new security features for securing Google accounts. These four updates are meant to bolster protections before and after users sign into accounts, but also in the case of recovering after a hack. According to Google's Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password. In the coming future, Skelker says that Google won't allow users to sign into accounts if they disabled JavaScript in their browser. The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected. This change is likely to impact only a very small number of users -- around 0.01 percent according to Google's data -- but it will likely impact bots harder, as many of them run through headless browsers where this feature is turned off for performance reasons. Google also plans to pull data from Google Play Protect and list all malicious apps that are still installed on a user's Android smartphone. Google's Jonathan Skelker says they will be notifying you "whenever you share any data from your Google Account," expanding on the notifications it sends when you've granted access to sensitive information, like Gmail data or your Google Contacts.

"Last but not least is a security feature that Google plans to use after an account hack," reports ZDNet. "This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles. The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account."

Good

Maybe this javascript thing will finally take off

Re:Good

[jellomizer]

Actually Google has been leading JavaScript adoption for over a decade.
Even back in the early 2000's web/web app developers were slow to use Javascript on their pages (Or limited to input validation). Mostly because they were afraid of people using old browsers that didn't support it. If you did a lot of stuff, you probably didn't get the customer, because you cannot reference an other popular site that needs Javascript.
Then with Googles Autocomplete feature and Google Maps, becoming a popular feature, it opened the door for the rest of us to apply Javascript,Ajax and DHTML to the pages.
I know, Booo Javascript sucks! However Javascript is better then Sliverlight, Flash, Active X, Java Applets, in terms of keeping the web platform open, while offering the features most people wanted.

Now Javascript has its issues... However it is used on all major browsers, and if coded well, it makes your pages load and run faster. (if not then we have the suckyness we think of wanting to block Javascript for)

Re:Good

[UnknownSoldier]

> and if coded well,

IF

That's a mighty big if as websites pull in JS and images from a dozen different sites ...

Re:Good

[jellomizer]

But how well it is coded, applies to all software.
Companies always try to hire non-programmers to make their stuff. Thinking this guy can write code so he is good enough. They figure they are saving money. They are not they are just making crap that is hard to maintain, and the end users just hate.

Re:Good

[sycodon]

My Very Large Defense company employer disables javascript via group policies.

Security reasons.

Re:Good

[oh_my_080980980]

So you just backed tracked on your own argument. Please just stop. You do not know what you are fucking talking about.

People block JavaScript for security reasons because of all the malicious stuff it can do. Google forcing you to enable JavaScript is fucking stupid. Hint, they can do what they want without enabling JavaScript. Google is looking for something else.

Re:Good

Google is looking for something else.

Hits the nail on the head. Yes, it's about security. And privacy. And for Google it's about collecting more data, regardless of the risks to you.

The push toward JS overkill is rejecting the golden rule of web design: Make sure your page degrades gracefully and don't tell visitors that your site is "best viewed in last week's version of Chrome or Firefox".

I actually see an increasing number of pages that pull in a dozen external scripts to add pizzazz, then also use noscript tags. But they're only using the noscript tags to make sure that people with script disabled still get a tracking pixel, while the page itself is actually broken without script!

Only .01%?

[PuddleBoy]

So Google says that only 1 in 10,000 of us have a Google account and disable Javascript?

I feel special.

Re:Only .01%?

Probably because anyone paranoid (rightfully) about JS is even more skeptical of intentionally storing information with Google.

Re:Only .01%?

[jellomizer]

You can only really trust Javascript as much as you trust the page creators.

Sure turn off Javascript for your random browsing, but if you are going to a site, where your personal info and needs to log into with... Then you might as well have it enabled. Because your data is already compromised, and you are just missing out on features which may make your browsing a bit easier.

Re:Only .01%?

[lgw]

Sure turn off Javascript for your random browsing, but if you are going to a site, where your personal info and needs to log into with... Then you might as well have it enabled. Because your data is already compromised,

Fun fact: web sites often contain content originating from more than one company. You might trust the people you're giving your info to, but is there an ad anywhere on their web site? Heck, even banks run web content from "partners" these days.

Re:Only .01%?

[HiThere]

Well, I've got an account with them, but I'm OK with never logging into it again.

It's 1st of November, not April

[Opportunist]

ENABLE Javascript to increase security.

Now I've seen it all.

Re:It's 1st of November, not April

So much this.

What fraction of all the web-foisted security vulnerabilities use Javascript as an attack vector? Thinking back to the last 10 or 15 years of reporting, I'd say it's in excess of 90%.

Anyone who wants security on the web keeps javascript disabled.

The stupidity is strong.

Re:It's 1st of November, not April

Something seems to be badly broken in the brains of the people behind this.

Not when you realize that Javascript is primarily about user-tracking, not functionality or "safety". Those are the ways to sell it to the dumb masses. Google's is a mass surveillance company, and javascript allows much better tracking of people as they use and move around the web.

Requiring it is completely consistent with Google's business goals of knowing everything about everybody.

Re:It's 1st of November, not April

[bentcd]

Enable javascript to improve security for Google, not for yourself.

To improve security for yourself, don't have a Google account.

Re:It's 1st of November, not April

[squiggleslash]

I'm about 90% sure that most security vulnerabilities involved plugins, Flash being the biggest offender but also with problems in plugins that should know better like Java. And, of course, there's ActiveX, plus the ability to download .exes or MSIs and tell people they're OK honest and you should have it because it installs this awesome toolbar.

I don't recall seeing many Javascript vulnerabilities. The only serious ones I can think of are:

1. There are a few XSS vulnerabilities that have popped up from time to time. While initially the browser makers blamed the webdevs for this, they've tightened up the scope for XSS attacks to make them extremely difficult over the years.
2. One of the CPU branch-prediction bugs from last year was exploitable via JS, I forget which but IIRC it was the less severe one and was still pretty close to impossible to exploit in a real world scenario (yes, you could build a carefully constructed proof of concept where you knew exactly what browser was being used on a specific CPU on a specific version of a specific operating system with specific versions of specific shared libraries installed, but outside of that it was hard to exploit.

Ultimately any web technology can be poorly implemented in such a way that it'll lead to exploits. I wouldn't be remotely surprised to hear, even today, of a buffer overflow bug in a GIF or HTML parser. Disabling JS seems like poor security to me, it reduces the attack surface, sure, but so does disabling images, and like the latter it means most modern web pages aren't going to work properly.

Re:It's 1st of November, not April

[jellomizer]

When companies say "best practices" I hear "This is how we did it, we don't want you to argue with us."

This negatively impacts alternative browsers

[xack]

Especially text browsers that don't support javascript often used by people with disabilities.

Re:This negatively impacts alternative browsers

Exactly. This goes against everything webdevs were taught to do (DEGRADE GRACEFULLY) for the past 20 years.

Re:This negatively impacts alternative browsers

EVERY new development these days does exactly this.

RSS is being taken away because advertisers don't get enough information about our reading habits.

Our privacy and ability to customize our own computer is removed in Windows 10.

Every useless phone app phones home with all our personal information and no one does a thing about it.

We are well past 1984.

I might be cynical but...

This is a pretty transparent attempt to try to make surveillance easier for themselves under the guise of user security

"Mother Effing Tool Confuser" by Karl Groves

[tepples]

Last I checked, screen-reading tools support major web browsers, which in turn run JavaScript. There are even versions of elinks and w3m that run JavaScript. Karl Groves created "Mother Effing Tool Confuser", a webpage where a script adds sufficient accessibility markup, to demonstrate this fact.

Re:"Mother Effing Tool Confuser" by Karl Groves

[apoc.famine]

Screen reading tools identify the areas of the page and allow the user to select what areas they wish to have read to them. Something like "Page contains header, left menu, body, footer, etc." The user then uses hotkeys to select the part they want read to them. The different div sections get called based on the names they are given by the developer.

It's about tracking...

[QuietLagoon]

The reason is that Google uses JavaScript to run risk assessment checks on the users

Google is all about tracking people on the net. Anything google does is about tracking people. The reason google needs javascript to be enabled is so that the javascript can help track people. Enabling javascript does not increase security, it decreases security. Javascript is a huge attack surface.

Re:It's about tracking...

[110010001000]

That isn't true. They are just a bunch of altruistic guys that like to program stuff.

Re:It's about tracking...

Javascript is a huge attack surface.

When it comes to the modern web, Javascript is all but THE attack surface.

ActiveX used to be another big one, but we got rid of that.

In recent years, virtually every instance of "I went to this web site and now my computer is infected" has been due to javascript. And about 90% of the tracking, and about 100% of the annoyware like popping up boxes over the top of the pages content or disabling right clicks is due to javascript.

It's also what allows the majority (but not all) of panoptoclick style attacks.

Javascript is a cancer on the web. It has occasional, small uses, but its use should be minimized at all costs.

Re:It's about tracking...

[darkmeridian]

Google is requiring Javascript to log into their services. Almost by definition, the users who log in are going to be tracked with or without Javascript because they're, well, logging into Google. Requiring Javascript decreases security from the point of view of a browser being hacked. However, requiring Javascript increases security from the point of view of decreasing the risk of bots randomly trying to login using bruteforce.

Color me dubious.

[hey!]

If client-side javascript is part of the security check, I don't see how that prevents a crook from forging an authentic-looking HTTP request.

DUH!

[freeze128]

Since google's services like gmail, maps, and docs all REQUIRE javascript anyway, you will need to allow javascript in order for those to even work. If you're logging into another service using your google account, then that's where things become sketchy. Of course you can just allow the google domains required for the login using something like noscript or uMatrix.

I just logged into gmail, and didn't allow gstatic.com and googleusercontent.com and it allowed me to log in. Of course, without gstatic, I couldn't log out. :)

Re:And soon thw whole internet

[QuietLagoon]

First it's "sign into Google accounts". But next it's "not get flagged as a bot by reCaptcha3"

^^^ This. ^^^ . . . How long before google becomes the effective gatekeeper on the net? How long before you need to allow google to track you (via javascript) in order to log into a website you want to visit?

Applications vs. documents

[tepples]

I know, Booo Javascript sucks! However Javascript is better then Sliverlight, Flash, Active X, Java Applets, in terms of keeping the web platform open, while offering the features most people wanted.

Some Slashdot users would claim that web applications written in JavaScript are still inferior to native applications made with Qt or another multi-platform GUI framework and distributed to the public in the form of source code under a free software license. They see the web not as an application platform but as a platform for publishing documents.

Re:Better e-mail service.

[ledow]

Why don't you use GMail.... and access it via IMAP?

Or you can pay any domain host for a domain with email... they start are literally pence normally.

You don't / can't run email servers from home anyway (you'll be on SpamHaus policy blacklist because the ISP almost certainly list all their dynamic IP's there), you need an secure outside machine that's on 24/7 with a fixed IP and not listed as being a "home" connection via SpamHaus PBL/XBL etc. Don't even get me started on sending email, you need to be SPF'd up too, really, and a proper reverse DNS entry.

You can get a VPS for a pittance a month, and a ten minute tutorial on, say, Postfix will set it up for you and include forwarding / copying all email to something like GMail or any other provider if you ever need it in the future should something go wrong.

Personally I do the latter. And I can collect via GMail (via IMAP) or via my server direct (via IMAP), they both get copies of all emails. But if you're that worried, almost certainly whoever you hold domains with will have free email forwarding and free/pittance webmail access too if you want.

Re:Better e-mail service.

[eaglesrule]

Protonmail seems to be the popular choice. I use it, as well as their VPN service in a bundled deal. So far I've yet to uncover any news or evidence that the promise of privacy is just a marketing ploy.