Spell-Checking In Google Chrome & Microsoft Edge Browsers Leak Passwords

Uploaded on 2022-10-19 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Advanced spell-check features in Google Chrome and Microsoft Edge could cause problems for users as a serious security flaw has been discovered in Google Chrome and Microsoft Edge which allows personal information, to be shared in cleartext with third parties. 

Some of the largest websites in the world have exposure to s   ending Google and Microsoft sensitive user Personally Identifiable Information (PII), including username, email, and passwords, when users are logging in or filling out forms. 

An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure.

Specifically, the data is harvested when consumers fill in forms on popular websites and cloud-based enterprise apps. It's also called "spell-jacking" by researchers: Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services. The issue was identified by security firm Otto JavaScript Security (Otto-js). 

According to the company, the flaw could expose personally identifiable information from some widely used applications such as Amazon Web Services, Google Cloud, LastPass, and Office 365.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when "show password" was clicked.  Worse, the ones that did not send passwords had not actually mitigated the issue; they just lacked the "show password" feature.

Amongst the websites that Otto-js researchers investigated, Google is the only one that had already fixed the issue for email and some services, although the researchers found that the company's Web service Google Cloud Secret Manager remains vulnerable. 

Whenever Chrome’s Enhanced Spellcheck and Edge’s MS Editor are enabled on browsers, the leak can occur and the applications also leak user passwords if the show password feature is clicked when entering data into a site or device.

OTTO:   Spiceworks:      TechRadar:    Oodaloop:   PCMag:    Dark Reading:  

You Might Also Use: 

Identity Access Management  Essentials:

 

« Microsoft Teams Is Vulnerable To GIFShell Attacks
Legacy Technology is Undermining How Business Responds To Ransomware »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NextLabs

NextLabs

NextLabs provides data-centric security software to protect business-critical data and applications.

Cambridge Intelligence

Cambridge Intelligence

Cambridge Intelligence are experts in network visualization and finding hidden trends in complex connected data. Applications include cybersecurity.

Alliance for Cyber Security (ACS)

Alliance for Cyber Security (ACS)

An alliance of all major players in the field of cyber security in Germany with a mission to strengthen Germany’s resistance to cyber-attacks.

Cyber Security Capital (CS^)

Cyber Security Capital (CS^)

Cyber Security Capital is a consultancy helping to mobilise and empower individuals, corporate leaders and entrepreneurs in cyber security.

Trust in Digital Life (TDL)

Trust in Digital Life (TDL)

TDL is a membership association comprising companies, SMEs, universities and research institutes who exchange experience and insights to make digital services in Europe trustworthy and safe.

Nuvias Group

Nuvias Group

Nuvias Group is a specialist value-addedd IT distribution company offering a service-led and solution-rich proposition ready for the new world of technology supply.

Identillect Technologies

Identillect Technologies

Identillect Technologies provide a user-friendly secure email solution to protect critical information, with an emphasis on simplicity.

Privitar

Privitar

Privitar is leading the development and adoption of privacy engineering technology enabling our customers to innovate and leverage data with an uncompromising approach to data privacy.

ArcusTeam

ArcusTeam

ArcusTeam is at the forefront of the firmware and applications security industry, with a mission to increase the level of security on all IoT devices and applications.

ITRenew

ITRenew

ITRenew is a leading global IT lifecycle management solutions company, specializing in onsite data center decommissioning and data erasure services.

ThreatGen

ThreatGen

ThreatGEN™ works with your team to improve your resiliency and industrial cybersecurity capabilities through an innovative and modernized approach to training and services.

CliftonLarsonAllen (CLA)

CliftonLarsonAllen (CLA)

CLA exists to create opportunities for our clients through industry-focused advisory, outsourcing, audit, tax, and consulting services.

CFTS

CFTS

CFTS 'Computer Facilities Technical Services' is a Ugandan ICT Support Company that specialises in infrastructure and support services including network security.

SecurEyes

SecurEyes

SecurEyes is a leading cybersecurity firm that provides specialised services, including cybersecurity assessments, managed services, and governance risk and compliance services.

Allure Security

Allure Security

Allure Security AI-driven brand protection scans more of the online world for faster, more accurate detection & removal of spoof websites, social media & mobile apps -- before customers fall victim.

Styx Intelligence

Styx Intelligence

Styx Intelligence’s platform provides visibility and supports remediation against threats targeting your digital assets.