A serious security flaw has been discovered in Google Chrome and Microsoft Edge which allows personal information, including passwords, to be shared in cleartext with third-parties.
As TechRadar reports(Opens in a new window), the flaw was discovered by JavaScript security firm otto-js and is referred to as “Spell-Jacking(Opens in a new window).” The problem stems from the use of Chrome’s Enhanced Spellcheck and Edge’s Microsoft Editor features, both of which a user can opt to enable, but are turned off by default. In the case of the Microsoft Editor, it takes the form of an add-on(Opens in a new window) you need to install.
When they are enabled, the user is informed that data will be sent to Google and Microsoft. This is typical, as all companies like to collect usage statistics and data to help improve how a feature performs. However, in this case the personal information being entered by a user into either browser is also being shared in cleartext. This can include username, password, email address, date of birth, social security number, payment details, and the list goes on.
As Josh Summit, co-founder and CTO of otto-js explains, in the case of Chrome’s Enhanced Spellcheck, “If ‘show password’ is enabled, the feature even sends your password to their 3rd-party servers. While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What’s concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background.”
Otto-js listed the top five online services used by enterprise companies that are at risk from this security flaw. They includes Office 365, Alibaba’s Cloud Service, Google Cloud Secret Manager, AWS Secret Manager, and LastPass. However, both AWS and LastPass have already mitigated the issue. Google has mitigated it for some, but not all of its services.
(Credit: otto-js)
It’s not just enterprise users at risk here, though. Otto-js selected over 50 websites and split them into six categories covering online banking, healthcare, social media, e-commerce, cloud office tools, and government. 96.7% of them were found to send personal data to Google and Microsoft when the enhanced features are enabled. 73% sent your password to them when the “show password” option was clicked.
Recommended by Our Editors
Walter Hoehn, otto-js VP of Engineering, noted that, “One of the most interesting things about this type of exposure is that it’s caused by the unintended interaction between two features that are, in isolation, both beneficial to users. The enhanced spellchecking features in Chrome and Edge offer a significant upgrade over the default dictionary-based methods. Likewise, websites that provide the option of displaying passwords in cleartext are more usable, especially for those with disabilities. It’s when they are used together that the actual password exposure happens.”
If you haven’t turned on these enhanced features in either Chrome or Edge, then your personal data won’t be shared. If you have, then disabling the feature in Chrome(Opens in a new window) or uninstalling the add-on in Edge(Opens in a new window) is advised until the problem is fixed. Both Google and Microsoft have been told about the security flaw inherent in these enhanced features.
What Is a Password Manager, and Why Do I Need One?Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
