Burp Suite User Forum

Login to post

Google "This browser or app may not be secure" error

peter | Last updated: Sep 30, 2021 12:38PM UTC

Hello - When attempting to authenticate with accounts.google.com on the built in Burp browser, I am getting the error: Couldn’t sign you in This browser or app may not be secure. After entering email address in accounts.google.com. I have reproduced this on Windows 10 Build 19042.1237 using Burp v2021.8.3-9673 and the latest Kali Linux rolling using v2021.8.3. This does not occur when using Firefox, only Chrome (have not tried a regular install of Chrome, only the built in Chrome with Burp). I have also regenerated the certificates and followed this guide in adding certificates: https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate I am testing an application that utilizes google OAuth, so this hampers my testing a bit, as I enjoy using the built in browser.

Michelle, PortSwigger Agent | Last updated: Sep 30, 2021 03:02PM UTC

Thanks for your message. Do you see this issue with all Google accounts you are using to sign in with or just certain ones? When you imported the CA certificate, was that just for the external browser or did you import it for the embedded browser too?

peter | Last updated: Oct 01, 2021 05:56PM UTC

Its for multiple accounts, I even tried enabling "less secure apps" in google, no change. I also imported the CA for external and embedded browsers - it seems to work fine with the newly generated certificate on Firefox, Edge and Brave, the embedded browser seems to not like it. Also, I am using my home IP address while testing, not a VPN, so its not a google security thing.

Michelle, PortSwigger Agent | Last updated: Oct 04, 2021 01:27PM UTC

Thanks for the update. Do the Google accounts you are using for testing use 2FA or are they just set to use a password? When you log in using an external; browser (e.g. Firefox) and are successful, do you get prompted for your password straight away or are there any additional steps to the login process?

peter | Last updated: Oct 05, 2021 11:38AM UTC

No, 2FA is not enabled on any of them. No CAPTCHA or any other prompts, that only occurs (for me) when testing behind a VPN, which I am not in this case. With external browsers after entering a password it completes the auth process, so either an OAuth token is sent to the target website, or if reproducing this on mail.google.com, you are dropped into the inbox.

Michelle, PortSwigger Agent | Last updated: Oct 06, 2021 08:53AM UTC

Thanks for the update. I've been having a chat with the team, we just wanted to double-check if any errors/messages are displayed if you try to log in using the same account and normal Chrome rather than the embedded browser.

peter | Last updated: Oct 07, 2021 10:41AM UTC

I'm not seeing any errors, I recorded a quick video of a fresh burp session with this issue also to show what is happening: https://youtu.be/KVx4fQA2Xzk

Michelle, PortSwigger Agent | Last updated: Oct 11, 2021 08:53AM UTC

Thanks for the video. We've been taking a look into this and it seems to be a combination of the security settings on the Google account (e.g. no 2FA) and the settings we're using to start the embedded browser that results in leads to this scenario. We can look to make some tweaks to the way the embedded browser is launched when you're using Proxy -> Intercept -> Open Browser to do testing. I don't have any timescales for this just yet so I've linked this thread so we can let you know when there is an update. Please let me know if you have any questions.

peter | Last updated: Oct 11, 2021 02:37PM UTC

Great! Thanks for looking into this! How is google detecting this? Because burp is actively utilizing chrome dev tools during the login process? In any case, I look forward to the fix!

Michelle, PortSwigger Agent | Last updated: Oct 12, 2021 03:01PM UTC

Burp's connecting to the embedded browser via the remote-debugging port and this is being picked up and reported. We'll post back here when we have an update.

Shemi | Last updated: Feb 09, 2022 09:34PM UTC

Hi, Just came to say I'm experiencing the exact thing. In the embedded browser, on trying to register a website with a google account, after entering the email address in google's popup window, I get a response saying that the browser is not secured.

Shemi | Last updated: Feb 09, 2022 09:34PM UTC

Hi, Just came to say I'm experiencing the exact thing. In the embedded browser, on trying to register a website with a google account, after entering the email address in google's popup window, I get a response saying that the browser is not secured.

Michelle, PortSwigger Agent | Last updated: Feb 10, 2022 08:41AM UTC

Thanks for getting in touch, we've added your details to the case we have raised with our developers. This forum post is linked so we can post back here when there is an update.

NA | Last updated: Apr 06, 2022 02:40PM UTC

We are facing the same problem noted above. Has there been any movement on this or can you give us an ETA on when we can expect an update? Thanks

Michelle, PortSwigger Agent | Last updated: Apr 07, 2022 09:57AM UTC

Thanks for your message. We haven't forgotten about this one. We don't have an exact ETA for it as yet but we will post back here when there is news. We've linked the fact you are also affected by this issue.

Lauritz | Last updated: Jun 16, 2022 11:59AM UTC

Hi there, I just wanted to add that I am also encountering this issue for several months. Are there any news or an expected ETA for a fix to share? Thanks a lot and best regards, Lauritz

Michelle, PortSwigger Agent | Last updated: Jun 16, 2022 01:47PM UTC

Thanks for getting in touch. We don't have a confirmed ETA for this one yet but we haven't forgotten about it. We've registered your comments against the request and will post here when we have further updates.

Derek | Last updated: Oct 14, 2022 08:14PM UTC

Hi, I'm also experiencing this issue (didn't work in ZAP either!)

Michelle, PortSwigger Agent | Last updated: Oct 17, 2022 08:01AM UTC

Thanks for getting in touch. We've added your details to the case we have here. The issue we currently have raised covers problems people were having when using Burp's embedded browser but they were not affected when using an external browser, such as Firefox, proxied via Burp. Can you please let me know if you see the same behavior and can use Firefox successfully, please?

p | Last updated: Oct 18, 2022 10:54PM UTC

This is definitely hugely problematic and has been for a long time.

Michelle, PortSwigger Agent | Last updated: Oct 19, 2022 08:34AM UTC

Thanks, we'll be discussing this further with the developers here. We'll post back on this thread when we have any updates.

Mark | Last updated: Oct 21, 2022 08:53PM UTC

Hi, I'm also experiencing this issue. Any workaround using the builtin Chromium browser would be appreciated.

Michelle, PortSwigger Agent | Last updated: Oct 24, 2022 12:31PM UTC

Hi Are you experiencing the issue when using recorded logins and creating scan tasks within Pro? Or is this when you're performing manual testing using Burp Proxy?

TedM | Last updated: Oct 25, 2022 02:26AM UTC

I think this might be an issue somewhere in the security settings of Google accounts. I also experience this exact issue on one of my accounts, but when I try to login with my personal account this does not happen. I'm still figuring out which Google security settings are causing this.

TedM | Last updated: Oct 25, 2022 02:28AM UTC

Just to add, this worked on my Google account with an email that does not use the @gmail.com domain. That might be a factor.

Michelle, PortSwigger Agent | Last updated: Oct 25, 2022 09:13AM UTC

Thanks for the additional information. We'll add that to our case details. Out of interest which tools are you generally using in Burp when you are affected by this issue? For example, are you using Burp proxy or the recorded login/scanning tools?

TedM | Last updated: Oct 27, 2022 08:40AM UTC

I encounter this issue even after disabling the extensions and using the built-in Chromium browser on defaults settings. But I don't encounter this issue when I log in using a company domain "@company.com"

Michelle, PortSwigger Agent | Last updated: Oct 27, 2022 09:15AM UTC

Thanks for the update. So is this mainly affecting your manual testing using the Proxy Tool within Burp?

peter | Last updated: Oct 28, 2022 12:21PM UTC

Just checking in on this - It seems to be a problem with anything using dev tools w/chrome (maybe others) but I've noticed with other tools that use dev tools or automation (like with Selenium) there's the same issue. I am guessing its because Google is using some kind of Javascript test or is able to trigger a JS setting that I am not skilled enough to find that lets it know its in a development mode. I'm sure you guys know this, but I figured I'd update with what I've learned since I opened this ticket

onX | Last updated: Nov 18, 2022 04:32PM UTC

I experience this as well. I can login with my corporate domain at GCP, but not my personal account @gmail.com Both of my accounts are set to use multifactor. I've cleared all history, bounced BURP and the browser, and removed all my extensions.

Michelle, PortSwigger Agent | Last updated: Nov 21, 2022 10:53AM UTC

Thanks for getting in touch. Are you seeing this issue when you're doing manual testing using Burp's Proxy, or are you hitting this issue when performing a scan of the site using Burp Scanner?

You need to Log in to post a reply. Or register here, for free.