Chrome, Edge Enhanced Spelling Features Are Exposing Your Personal Information

A critical security flaw has been discovered in Google Chrome and Microsoft Edge that allows personal information, including passwords, to be shared in clear text with third parties.

as Technical Radar Report(opens in new window)the vulnerability was discovered by JavaScript security firm otto-js, and is known as “spell hijacking(opens in new window).” The problem stems from using Chrome’s Enhanced Spell Check and Edge’s Microsoft Editor feature, both of which the user can choose to enable, but both are turned off by default. For Microsoft Editor, it takes the following form Add on(opens in new window) You need to install.

When they are enabled, users are informed that data will be sent to Google and Microsoft. This is typical as all companies like to collect usage statistics and data to help improve how functionality is performed. However, in this case, personal information entered by the user in either browser is also shared in clear text. This can include usernames, passwords, email addresses, dates of birth, social security numbers, payment details, and more.

As otto-js co-founder and CTO Josh Summit explained, in terms of Chrome’s enhanced spellcheck, “if ‘show password’ is enabled, the feature will even send your password to their 3rd Party servers. While researching data breaches in different browsers, we found a combination of features that, when enabled, unnecessarily exposed sensitive data to third parties such as Google and Microsoft. It is worrying that the How easy it is to enable and most users will enable these features without really realizing what is happening in the background.”

Otto-js lists the top five online services used by enterprise companies that are at risk of this security breach. They include Office 365, Alibaba’s cloud services, Google Cloud Secret Manager, AWS Secret Manager, and LastPass. However, both AWS and LastPass have mitigated this problem. Google has lightened some, but not all, of its services.

Example passwords disclosed in clear text and shared with Google.

(Source: otto-js)

It’s not just business users who are at risk here, though. Otto-js selected over 50 websites and divided them into six categories covering online banking, healthcare, social media, e-commerce, cloud office tools and government. 96.7% of them were found to send personal data to Google and Microsoft when the enhancements were enabled. 73% of people have your password sent to them when they click on the “Show Password” option.

Our Editors’ Picks

Walter Hoehn, VP of Engineering at otto-js, points out, “One of the most interesting things about this type of exposure is that it is caused by an unexpected interaction between two separate features that are both beneficial to the user. Enhanced Spell Check Chrome and Features in Edge are a major upgrade from the default dictionary-based approach. Likewise, sites that offer the option to display passwords in clear text are more useful, especially for people with disabilities. When they are used together, the actual password exposure happens.”

If you haven’t enabled these enhancements in Chrome or Edge, your personal data will not be shared.If you have, then Disable the feature in Chrome(opens in new window) or Uninstall add-ons in Edge(opens in new window) Recommended until the problem is resolved. Both Google and Microsoft have been informed of the security holes inherent in these enhancements.

PCMag logo What is a password manager and why do you need one?

Like what are you reading?

register safety observation A newsletter of our top privacy and security stories delivered straight to your inbox.

This communication may contain advertisements, deals or affiliate links.By subscribing to the newsletter, you agree to our Terms of use and Privacy Policy. You can unsubscribe from the newsletter at any time.

Source link

Leave a Reply

Your email address will not be published.