Spell-Checking In Google Chrome & Microsoft Edge Browsers Leak Passwords

Advanced spell-check features in Google Chrome and Microsoft Edge could cause problems for users as a serious security flaw has been discovered in Google Chrome and Microsoft Edge which allows personal information, to be shared in cleartext with third parties. 

Some of the largest websites in the world have exposure to s   ending Google and Microsoft sensitive user Personally Identifiable Information (PII), including username, email, and passwords, when users are logging in or filling out forms. 

An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure.

Specifically, the data is harvested when consumers fill in forms on popular websites and cloud-based enterprise apps. It's also called "spell-jacking" by researchers: Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services. The issue was identified by security firm Otto JavaScript Security (Otto-js). 

According to the company, the flaw could expose personally identifiable information from some widely used applications such as Amazon Web Services, Google Cloud, LastPass, and Office 365.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when "show password" was clicked.  Worse, the ones that did not send passwords had not actually mitigated the issue; they just lacked the "show password" feature.

Amongst the websites that Otto-js researchers investigated, Google is the only one that had already fixed the issue for email and some services, although the researchers found that the company's Web service Google Cloud Secret Manager remains vulnerable. 

Whenever Chrome’s Enhanced Spellcheck and Edge’s MS Editor are enabled on browsers, the leak can occur and the applications also leak user passwords if the show password feature is clicked when entering data into a site or device.

OTTO:   Spiceworks:      TechRadar:    Oodaloop:   PCMag:    Dark Reading:  

You Might Also Use: 

Identity Access Management  Essentials:

 

« Microsoft Teams Is Vulnerable To GIFShell Attacks
Legacy Technology is Undermining How Business Responds To Ransomware »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Gamma

Gamma

Gamma is a leading provider of Unified Communications as a Service (UCaaS) into the UK, Dutch, Spanish and German business markets.

AvePoint

AvePoint

AvePoint is an established leader in enterprise-class data management, governance, and compliance software solutions.

Qualitèsoft Technology

Qualitèsoft Technology

Qualitèsoft Technology is a leading Software Development and Quality Assurance organization. We specialize in Custom Development, Mobile Application, Software Testing and Quality Assurance.

Cyber8Lab

Cyber8Lab

Cyber8Lab provides cybersecurity training programmes simulating real world cybersecurity incidents such as web defacement, malware, phishing, digital forensics analysis and wireless intrusion.

Evidence Talks Ltd

Evidence Talks Ltd

A leading forensic computing authority developing unique digital forensic technologies. Tools that detect potential terrorists & criminals & used by the military, enforcement & intelligence commmunity

NSIDE Attack Logic

NSIDE Attack Logic

NSIDE Attack Logic simulates real-world cyber attacks to detect vulnerabilities in corporate networks and systems.

Ingenio Global

Ingenio Global

Ingenio is a specialist recruitment business for SaaS companies. Our purpose is to source exceptional talent in areas including cyber security for leading SaaS companies in the UK and Ireland.

ITRenew

ITRenew

ITRenew is a leading global IT lifecycle management solutions company, specializing in onsite data center decommissioning and data erasure services.

BoldCloud

BoldCloud

BoldCloud's award winning Cybersecurity Advisory services and Layered Security approach adds new critical layers of protection for your data and your business.

Tactical Network Systems (TNS)

Tactical Network Systems (TNS)

Tactical Network Solutions helps you discover hidden attack vectors in IoT and connected devices before someone else does.

VariQ

VariQ

VariQ is a premier provider of Cybersecurity, Software Development and Cloud services to federal, state, and local government.

GAVS Technologies

GAVS Technologies

GAVS is a global IT services provider with focus on AI-led Managed Services and Digital Transformation.

Realsec

Realsec

RealSec is an international company and is a developer of encryption and digital signature systems and Blockchain for the Banking and Methods of Payment sectors, Government and Defense and Multisector

Securix

Securix

SECURIX AG delivers holistic IT security solutions that are tailored to the specific challenges and requirements of your company.

Aeries Technology

Aeries Technology

Aeries is a technology services organization offering capabilities in Technology Services, Digital Transformation, and Business Process Management.

NextGen Cyber Talent

NextGen Cyber Talent

NextGen Cyber Talent is a non-profit providing a platform to increase diversity and inclusion in the cybersecurity industry.