Spell-Checking In Google Chrome & Microsoft Edge Browsers Leak Passwords

Uploaded on 2022-10-19 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Advanced spell-check features in Google Chrome and Microsoft Edge could cause problems for users as a serious security flaw has been discovered in Google Chrome and Microsoft Edge which allows personal information, to be shared in cleartext with third parties. 

Some of the largest websites in the world have exposure to s   ending Google and Microsoft sensitive user Personally Identifiable Information (PII), including username, email, and passwords, when users are logging in or filling out forms. 

An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure.

Specifically, the data is harvested when consumers fill in forms on popular websites and cloud-based enterprise apps. It's also called "spell-jacking" by researchers: Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services. The issue was identified by security firm Otto JavaScript Security (Otto-js). 

According to the company, the flaw could expose personally identifiable information from some widely used applications such as Amazon Web Services, Google Cloud, LastPass, and Office 365.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when "show password" was clicked.  Worse, the ones that did not send passwords had not actually mitigated the issue; they just lacked the "show password" feature.

Amongst the websites that Otto-js researchers investigated, Google is the only one that had already fixed the issue for email and some services, although the researchers found that the company's Web service Google Cloud Secret Manager remains vulnerable. 

Whenever Chrome’s Enhanced Spellcheck and Edge’s MS Editor are enabled on browsers, the leak can occur and the applications also leak user passwords if the show password feature is clicked when entering data into a site or device.

OTTO:   Spiceworks:      TechRadar:    Oodaloop:   PCMag:    Dark Reading:  

You Might Also Use: 

Identity Access Management  Essentials:

 

« Microsoft Teams Is Vulnerable To GIFShell Attacks
Legacy Technology is Undermining How Business Responds To Ransomware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

aizoOn Technology Consulting

aizoOn Technology Consulting

aizoOn is a technology consulting company offering a range of services including IoT & embedded security, mobile security, cybersecurity assessments, risk & compliance, network monitoring and more.

General Dynamics Information Technology (GDIT)

General Dynamics Information Technology (GDIT)

General Dynamics IT delivers cyber security services to defend critical information and infrastructure.

National Cyber Security Centre (CNCS) - Portugal

National Cyber Security Centre (CNCS) - Portugal

CNCS is the operational coordinator and Portuguese national authority in cybersecurity working with State entities, and digital service providers

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality ISAC operates as a central hub for sharing sector-specific cyber security information and intelligence.

MD5

MD5

MD5 is a leading UK provider of Digital Forensic & eDiscovery services to large multi-national corporate businesses, Law Enforcement & Government Agencies, high profile legal firms.

MACH37

MACH37

MACH37 is a market-centric cybersecurity accelerator program designed to facilitate the creation of the next generation of cybersecurity product companies.

Prescient

Prescient

Prescient’s Cyber solutions supplement your firm’s existing data security infrastructure with specialized investigations that identify unconventional cyber risks.

e360

e360

e360 (formerly Entisys360) is an award-winning IT consultancy specializing in advanced IT infrastructure, virtualization, security, automation and cloud first solutions.

Britive

Britive

The Britive Platform is a cloud-native security solution built for the most demanding cloud-forward enterprises.

HMS Networks

HMS Networks

HMS stands for Hardware meets Software. Our technology enables industrial hardware to communicate and share information with software and systems.

CloudCover

CloudCover

CloudCover is a software-defined cybersecurity risk solution that provides risk awareness, risk analytics, and data security in real time.

Altospam

Altospam

Altospam is a full service corporate email protection, integrating multiple security levels for your emails.

Abacus Group

Abacus Group

Abacus Group is a global IT services firm for alternative investment firms, providing an enterprise technology platform specifically designed to meet the unique needs of financial services.

coc00n

coc00n

coc00n secures the devices of high-value and high-interest individuals against cyber attacks.

Runecast Solutions

Runecast Solutions

Runecast Solutions is a global leader in AI-powered risk mitigation, security, continuous compliance and more efficient IT operations management.

Aliro Security

Aliro Security

AliroNet is the world’s first entanglement Advanced Secure Network solution.