Burp Suite User Forum

Login to post

Google "This browser or app may not be secure" error

peter | Last updated: Sep 30, 2021 12:38PM UTC

Hello - When attempting to authenticate with accounts.google.com on the built in Burp browser, I am getting the error: Couldn’t sign you in This browser or app may not be secure. After entering email address in accounts.google.com. I have reproduced this on Windows 10 Build 19042.1237 using Burp v2021.8.3-9673 and the latest Kali Linux rolling using v2021.8.3. This does not occur when using Firefox, only Chrome (have not tried a regular install of Chrome, only the built in Chrome with Burp). I have also regenerated the certificates and followed this guide in adding certificates: https://portswigger.net/burp/documentation/desktop/external-browser-config/certificate I am testing an application that utilizes google OAuth, so this hampers my testing a bit, as I enjoy using the built in browser.

Michelle, PortSwigger Agent | Last updated: Sep 30, 2021 03:02PM UTC

Thanks for your message. Do you see this issue with all Google accounts you are using to sign in with or just certain ones? When you imported the CA certificate, was that just for the external browser or did you import it for the embedded browser too?

peter | Last updated: Oct 01, 2021 05:56PM UTC

Its for multiple accounts, I even tried enabling "less secure apps" in google, no change. I also imported the CA for external and embedded browsers - it seems to work fine with the newly generated certificate on Firefox, Edge and Brave, the embedded browser seems to not like it. Also, I am using my home IP address while testing, not a VPN, so its not a google security thing.

Michelle, PortSwigger Agent | Last updated: Oct 04, 2021 01:27PM UTC

Thanks for the update. Do the Google accounts you are using for testing use 2FA or are they just set to use a password? When you log in using an external; browser (e.g. Firefox) and are successful, do you get prompted for your password straight away or are there any additional steps to the login process?

peter | Last updated: Oct 05, 2021 11:38AM UTC

No, 2FA is not enabled on any of them. No CAPTCHA or any other prompts, that only occurs (for me) when testing behind a VPN, which I am not in this case. With external browsers after entering a password it completes the auth process, so either an OAuth token is sent to the target website, or if reproducing this on mail.google.com, you are dropped into the inbox.

Michelle, PortSwigger Agent | Last updated: Oct 06, 2021 08:53AM UTC

Thanks for the update. I've been having a chat with the team, we just wanted to double-check if any errors/messages are displayed if you try to log in using the same account and normal Chrome rather than the embedded browser.

peter | Last updated: Oct 07, 2021 10:41AM UTC

I'm not seeing any errors, I recorded a quick video of a fresh burp session with this issue also to show what is happening: https://youtu.be/KVx4fQA2Xzk

Michelle, PortSwigger Agent | Last updated: Oct 11, 2021 08:53AM UTC

Thanks for the video. We've been taking a look into this and it seems to be a combination of the security settings on the Google account (e.g. no 2FA) and the settings we're using to start the embedded browser that results in leads to this scenario. We can look to make some tweaks to the way the embedded browser is launched when you're using Proxy -> Intercept -> Open Browser to do testing. I don't have any timescales for this just yet so I've linked this thread so we can let you know when there is an update. Please let me know if you have any questions.

peter | Last updated: Oct 11, 2021 02:37PM UTC

Great! Thanks for looking into this! How is google detecting this? Because burp is actively utilizing chrome dev tools during the login process? In any case, I look forward to the fix!

Michelle, PortSwigger Agent | Last updated: Oct 12, 2021 03:01PM UTC

Burp's connecting to the embedded browser via the remote-debugging port and this is being picked up and reported. We'll post back here when we have an update.

You need to Log in to post a reply. Or register here, for free.