Spell-Checking In Google Chrome & Microsoft Edge Browsers Leak Passwords

Uploaded on 2022-10-19 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Advanced spell-check features in Google Chrome and Microsoft Edge could cause problems for users as a serious security flaw has been discovered in Google Chrome and Microsoft Edge which allows personal information, to be shared in cleartext with third parties. 

Some of the largest websites in the world have exposure to s   ending Google and Microsoft sensitive user Personally Identifiable Information (PII), including username, email, and passwords, when users are logging in or filling out forms. 

An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure.

Specifically, the data is harvested when consumers fill in forms on popular websites and cloud-based enterprise apps. It's also called "spell-jacking" by researchers: Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services. The issue was identified by security firm Otto JavaScript Security (Otto-js). 

According to the company, the flaw could expose personally identifiable information from some widely used applications such as Amazon Web Services, Google Cloud, LastPass, and Office 365.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when "show password" was clicked.  Worse, the ones that did not send passwords had not actually mitigated the issue; they just lacked the "show password" feature.

Amongst the websites that Otto-js researchers investigated, Google is the only one that had already fixed the issue for email and some services, although the researchers found that the company's Web service Google Cloud Secret Manager remains vulnerable. 

Whenever Chrome’s Enhanced Spellcheck and Edge’s MS Editor are enabled on browsers, the leak can occur and the applications also leak user passwords if the show password feature is clicked when entering data into a site or device.

OTTO:   Spiceworks:      TechRadar:    Oodaloop:   PCMag:    Dark Reading:  

You Might Also Use: 

Identity Access Management  Essentials:

 

« Microsoft Teams Is Vulnerable To GIFShell Attacks
Legacy Technology is Undermining How Business Responds To Ransomware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Hitachi ID Systems

Hitachi ID Systems

Hitachi ID Systems offers comprehensive identity management and access governance, privileged access management and password management solutions.

Resilient Information Systems Security (RISS)

Resilient Information Systems Security (RISS)

RISS is a research group is in the Department of Computing at Imperial College London.

SecureNow Insurance Broker

SecureNow Insurance Broker

SecureNow is a commercial insurance broker based in India. Services offered include Cyber Risk insurance.

CodeOne

CodeOne

CodeOne provides solutions for website and web app security.

Mondo

Mondo

Mondo is the largest national staffing agency specializing exclusively in high-end, niche IT, Tech, and Digital Marketing talent. Areas of expertise include Cybersecurity.

Networkers

Networkers

Networkers is a global recruitment consultancy helping unite job-seekers and hiring companies across the technology industry.

DataArt

DataArt

DataArt is a global technology consultancy that designs, develops and supports unique software solutions. Areas of activity include software security testing.

United Biometrics

United Biometrics

United Biometrics is an anonymous and real-time authentication platform designed to stop the fraud for mobile payments, e-Commerce and applications.

GoCyber

GoCyber

GoCyber is a new, highly innovative cyber security training app that uses action based learning to significantly improve the online behaviour of all employees in less than a month.

Kickstart

Kickstart

Kickstart supports your startup in scaling deep technology businesses in Switzerland in areas such as AI, Blockchain and Cybersecurity.

Netsurion

Netsurion

Netsurion powers secure and agile networks for highly distributed and small-to-medium enterprises and the IT providers that serve them.

Naq Cyber

Naq Cyber

Naq is the number one platform for SMEs looking to become legally compliant and protect against cybercrime and other data-related incidents.

Jit

Jit

Jit empowers developers to own security for the product they are building from day zero.

NORMA Cyber

NORMA Cyber

NORMA Cyber delivers centralised cyber security services to Norwegian shipowners and other entities within the Norwegian maritime sector.

SEALSQ

SEALSQ

For the last 25 years, SEALSQ have been developing secure semiconductor chips, secure embedded firmware, and tested hardware provisioning services to serve the vision of a safer connected world.

Taktika

Taktika

Taktika stands at the forefront of cybersecurity defense, offering cutting-edge integration and managed Security Operations Center (SOC) services.