Spell-checking in Google Chrome, Microsoft Edge browsers leaks passwords

Spell-checking features present in both the Google Chrome and Microsoft Edge browsers are leaking sensitive user information — including username, email, and passwords — to Google and Microsoft, respectively, when people fill in forms on popular websites and cloud-based enterprise apps.

The issue — dubbed “spell-jacking” by researchers at client-side security firm Otto JavaScript Security (Otto-js) — can expose personally identifiable information (PII) from some of the most widely used enterprise applications, including Alibaba, Amazon Web Services, Google Cloud, LastPass, and Office 365, according to a blog post published Sept. 16.

Otto-js co-founder and CTO Josh Summit discovered the leakage — which occurs specifically when Chrome’s Enhanced Spellcheck and Edge’s MS Editor are enabled on browsers —
while conducting research on how browsers leak data in general.

Summit found that these spell-check features send data to Google and Microsoft that’s entered into form fields — such as username, email, date of birth, and Social Security number — when someone fills out these forms on websites or Web services while using the browsers, the researchers said.

Chrome and Edge also will leak user passwords if the “show password” feature is clicked when someone enters a password into a site or service, sending that data to Google and Microsoft’s third-party servers, they said.

Where the Privacy Risk Lies

Otto-js researchers, who posted a video on YouTube demonstrating how the leakage occurs, tested more than 50 websites that people use daily or weekly that have access to PII. They broke 30 of those into a control group spanning six categories — online banking, cloud office tools, healthcare, government, social media, and e-commerce — and selected websites for each category based on the top ranking in each industry.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when “show password” was clicked. Moreover, the ones that did not send passwords had not actually mitigated the issue; they just lacked the “show password” feature, the researchers said.

Of the websites that the researchers investigated, Google is the only one that already had fixed the issue for email and some services. Otto-js found that the company’s Web service Google Cloud Secret Manager remains vulnerable, however.

Meanwhile, Auth0, a popular single sign-on service, was not in the control group that the researchers had investigated but was the only website other than Google that had correctly mitigated the issue, they said.

To read the complete article, visit Dark Reading.