Google, Microsoft can get your passwords via web browser's spellcheck - BleepingComputer

Google, Microsoft can get your passwords via web browser's spellcheck - BleepingComputer

Google, Microsoft can get your passwords via web browser's spellcheck - BleepingComputer
Sep 17, 2022 2 mins, 33 secs

Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively

While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields

Both Chrome and Edge ship with basic spellcheckers enabled. But, features like Chrome's Enhanced Spellcheck or Microsoft Editor when manually enabled by the user, exhibit this potential privacy risk

When using major web browsers like Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, should enhanced spellcheck features be enabled

Depending on the website you visit, the form data may itself include PII—including but not limited to Social Security Numbers (SSNs)/Social Insurance Numbers (SINs), name, address, email, date of birth (DOB), contact information, bank and payment information, and so on

In cases where Chrome Enhanced Spellcheck or Edge's Microsoft Editor (spellchecker) were enabled, "basically anything" entered in form fields of these browsers was transmitted to Google and Microsoft

"Furthermore, if you click on 'show password,' the enhanced spellcheck even sends your password, essentially Spell-Jacking your data," explains otto-js in a blog post

"Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms

With enhanced spellcheck enabled, and assuming the user tapped "show password" feature, form fields including username and password are transmitted to Google at googleapis.com

Although the transmission of form fields is happening securely over HTTPS, it may not be imminently clear as to what happens to user data once it reaches the third-party, in this example, Google's server

"The Enhanced spell check feature requires an opt-in from the user," a Google spokesperson confirmed to BleepingComputer

Note, that this is in contrast to the basic spellchecker that is enabled in Chrome by default and does not transmit data to Google

To review if Enhanced spell check is enabled in your Chrome browser, copy-paste the following link in your address bar

As evident from the screenshot, the feature's description explicitly states that with Enhanced spell check enabled, "text that you type in the browser is sent to Google."

The 'spellcheck' HTML attribute when left out from form text input fields is usually assumed by web browsers be true by default

"Alternatively, you could add it to just the form fields with sensitive data

Ironically enough, we observed Twitter's login form, which comes with the "show password" option, has the password field's "spellcheck" HTML attribute explicitly set to true:

As an added safeguard, Chrome and Edge users can turn off Enhanced Spell Check (by following the aforementioned steps) or remove the Microsoft Editor add-on from Edge until both companies have revised extended spellcheckers to exclude processing of sensitive fields, like passwords

1 The Quest to Make a Vaccine for Urinary Tract Infections - The Daily Beast

Oct 01, 2022 # health 1 min, 51 secs

2 Kylie Jenner oozes confidence as she dons a pair of white pants at the Loewe show during PFW - Daily Mail

Sep 30, 2022 # politics 2 mins, 43 secs

3 The 3 million richest Americans are wealthier than 291 million

Sep 29, 2022 # breaking 1 min, 15 secs

4 Kevin Feige On Not Recasting T'Challa In The MCU: 'It Was Much Too Soon' – Exclusive - Empire

Sep 26, 2022 # entertainment 55 secs

5 Sunken Gardens flamingos, still in a St. Petersburg bathroom, are doing fine - Tampa Bay Times

Sep 30, 2022 # politics 50 secs

6 Teenage Engineering's Tiny Record Player Also Makes Custom Vinyl Records - Gizmodo

Sep 29, 2022 # technology 51 secs

7 Ahead of Overwatch 2, a eulogy for the Overwatch I once knew - Gamesradar

Sep 27, 2022 # technology 2 mins, 21 secs

8 Big Brother season 24 jury answers burning questions - Entertainment Weekly News

Sep 25, 2022 # entertainment 3 mins, 44 secs

9 WILD HEARTS launches February 17, 2023 for PS5, Xbox Series, and PC; debut trailer and screenshots - Gematsu

Sep 29, 2022 # technology 53 secs

10 New viewership numbers are here for Amazon's 'Rings of Power' — here's how it compares to HBO's 'House of the Dragon' - Yahoo Finance

Sep 30, 2022 # entertainment 32 secs

11 Kevin Feige Reveals Why Chadwick Boseman’s T’Challa Was Not Recast In ‘Wakanda Forever’: “It Was Much Too Soon” - Deadline

Sep 26, 2022 # entertainment 35 secs

12 October's Scary Big Pile of New Sci-Fi, Fantasy, and Horror Books - Gizmodo

Sep 30, 2022 # entertainment 3 mins, 56 secs

13 Apple is taking credit for Google adding iMessage reactions on Android - 9to5Google

Sep 29, 2022 # technology 57 secs

14 Overwatch 2 Review in Progress - IGN

Sep 29, 2022 # technology 3 mins, 19 secs

15 JetBlue, Southwest spar over slots in antitrust trial

Sep 29, 2022 # breaking 31 secs

16 Hands on with AptX Lossless, the new tech promising CD-quality audio over Bluetooth - The Verge

Sep 26, 2022 # technology 2 mins, 12 secs

Get monthly updates and free resources.


© Copyright 2022 365NEWSX - All RIGHTS RESERVED