Chrome and Microsoft Edge's enhanced spellcheckers can leak your passwords and personal data
Privacy and security are something that all browser manufacturers like to brag about in relation to their products, with Google and Microsoft being no different to others in this regard. But if you are making use of the Enhanced Spellcheck in Chrome or Microsoft Editor in Edge, some highly sensitive information can be sent to the two software giants.
- LastPass reveals details of August hack that gave threat actor access to its development environment for four days
- Microsoft Teams for Windows, macOS and Linux insecurely stores authentication tokens in unprotected cleartext -- and a fix is NOT in the pipeline
- Uber suffers 'cybersecurity incident' with hackers gaining access to internal systems and vulnerability reports
In a blog post, the team of security researchers explains: "Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure".
There is the additional warning:
If you click on 'show password', the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.
The issue is known to affect a number of big-name websites and services, including Office 365, Alibaba Cloud Service and Google Cloud Secret Manager. LastPass and AWS Secrets Manager were also found to be impacted, but these companies have now implemented mitigations.
Josh Summitt, the co-founder and CTO of otto-js, discovered the security issue when testing the company's script behaviors detection. He says:
If 'show password' is enabled, the feature even sends your password to their third-party servers. While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to third Parties like Google and Microsoft. What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background.
In the video below, you can see the issue in full effect:
Further tests carried out by BleepingComputer show that other problematic sites include CNN, Facebook, Bank of America and SSA.gov.
It is worth pointing out that the Microsoft Editor Spelling & Grammar Checker is an addon for Microsoft Edge, and that Chrome's Enhanced Spellcheck is not enabled by default. But if you have either installed the add-on or enabled the feature, you have clearly done so for a reason and therefore need to be aware of the associated risks.
You can read more details of otto-js' findings in the research team's blog post.