A critical security flaw has been discovered in Google Chrome and Microsoft Edge that allows personal information, including passwords, to be shared in clear text with third parties.
When they are enabled, users are informed that data will be sent to Google and Microsoft. This is typical as all companies like to collect usage statistics and data to help improve how functionality is performed. However, in this case, personal information entered by the user in either browser is also shared in clear text. This can include usernames, passwords, email addresses, dates of birth, social security numbers, payment details, and more.
As otto-js co-founder and CTO Josh Summit explained, in terms of Chrome’s enhanced spellcheck, “if ‘show password’ is enabled, the feature will even send your password to their 3rd Party servers. While researching data breaches in different browsers, we found a combination of features that, when enabled, unnecessarily exposed sensitive data to third parties such as Google and Microsoft. It is worrying that the How easy it is to enable and most users will enable these features without really realizing what is happening in the background.”
Otto-js lists the top five online services used by enterprise companies that are at risk of this security breach. They include Office 365, Alibaba’s cloud services, Google Cloud Secret Manager, AWS Secret Manager, and LastPass. However, both AWS and LastPass have mitigated this problem. Google has lightened some, but not all, of its services.
It’s not just business users who are at risk here, though. Otto-js selected over 50 websites and divided them into six categories covering online banking, healthcare, social media, e-commerce, cloud office tools and government. 96.7% of them were found to send personal data to Google and Microsoft when the enhancements were enabled. 73% of people have your password sent to them when they click on the “Show Password” option.
Our Editors’ Picks
Walter Hoehn, VP of Engineering at otto-js, points out, “One of the most interesting things about this type of exposure is that it is caused by an unexpected interaction between two separate features that are both beneficial to the user. Enhanced Spell Check Chrome and Features in Edge are a major upgrade from the default dictionary-based approach. Likewise, sites that offer the option to display passwords in clear text are more useful, especially for people with disabilities. When they are used together, the actual password exposure happens.”
If you haven’t enabled these enhancements in Chrome or Edge, your personal data will not be shared.If you have, then Disable the feature in Chrome(opens in new window) or Uninstall add-ons in Edge(opens in new window) Recommended until the problem is resolved. Both Google and Microsoft have been informed of the security holes inherent in these enhancements.
Like what are you reading?
register safety observation A newsletter of our top privacy and security stories delivered straight to your inbox.