Spell-Checking In Google Chrome & Microsoft Edge Browsers Leak Passwords

Uploaded on 2022-10-19 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Advanced spell-check features in Google Chrome and Microsoft Edge could cause problems for users as a serious security flaw has been discovered in Google Chrome and Microsoft Edge which allows personal information, to be shared in cleartext with third parties. 

Some of the largest websites in the world have exposure to s   ending Google and Microsoft sensitive user Personally Identifiable Information (PII), including username, email, and passwords, when users are logging in or filling out forms. 

An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure.

Specifically, the data is harvested when consumers fill in forms on popular websites and cloud-based enterprise apps. It's also called "spell-jacking" by researchers: Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services. The issue was identified by security firm Otto JavaScript Security (Otto-js). 

According to the company, the flaw could expose personally identifiable information from some widely used applications such as Amazon Web Services, Google Cloud, LastPass, and Office 365.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when "show password" was clicked.  Worse, the ones that did not send passwords had not actually mitigated the issue; they just lacked the "show password" feature.

Amongst the websites that Otto-js researchers investigated, Google is the only one that had already fixed the issue for email and some services, although the researchers found that the company's Web service Google Cloud Secret Manager remains vulnerable. 

Whenever Chrome’s Enhanced Spellcheck and Edge’s MS Editor are enabled on browsers, the leak can occur and the applications also leak user passwords if the show password feature is clicked when entering data into a site or device.

OTTO:   Spiceworks:      TechRadar:    Oodaloop:   PCMag:    Dark Reading:  

You Might Also Use: 

Identity Access Management  Essentials:

 

« Microsoft Teams Is Vulnerable To GIFShell Attacks
Legacy Technology is Undermining How Business Responds To Ransomware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

DeviceLock

DeviceLock

DeviceLock is a leading provider of endpoint device/port control and data leak prevention software.

CERT.hr

CERT.hr

CERT.hr is the national authority competent for prevention and protection from computer threats to public information systems in the Republic of Croatia.

VdS

VdS

VdS is an independent safety and security testing institution. Cybersecurity services include standards, audit/assessment and certification for SMEs.

Combitech

Combitech

Combitech is the Nordic region’s leading cyber security consultancy firm, with about 260 certified security consultants helping companies and authorities prevent and manage cyber threats.

CybSafe

CybSafe

CybSafe is a cloud-based platform focussed on addressing the human component of cyber security - an intelligent approach to awareness training.

NopSec

NopSec

NopSec provides automated IT security control measurement and risk remediation solutions to help businesses protect their IT environments from security breaches.

Tutamantic

Tutamantic

Tutamantic develops software that reduces security risks and weaknesses during the architectural and design stages.

NeuroChain

NeuroChain

NeuroChain is an intelligent ecosystem that is more secure, more reliable and much faster than blockchain.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub is a non-profit network organization focused on cooperation, information sharing, research and implementation of cutting-edge technologies in cybersecurity.

Monster Jobs

Monster Jobs

Monster is a global leader in connecting people to jobs, wherever they are. Monster covers all job sectors including cybersecurity in locations around the world.

TAG Cyber

TAG Cyber

TAG Cyber's mission is to provide world-class cyber security research, advisory, and consulting services to enterprise security teams around the world.

doIT Solutions

doIT Solutions

doIT solutions specialize in IT security and infrastructure, security automation, data center, and cybersecurity.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

AutoRABIT

AutoRABIT

AutoRABIT provides DevSecOps tools built specifically for Salesforce developers to increase release velocity, produce consistently high-quality code, and enhance data security.

Limes Security

Limes Security

Limes Security GmbH is the leading OT Security expert in the German-speaking region of Europe.

turingpoint

turingpoint

turingpoint GmbH is a tech enabled boutique consultancy. It was founded by security experts with a focus on cyber security and software solutions.