The spell checkers on Chrome and Edge browsers send sensitive information you type, like passwords, to Google and Microsoft servers.
According to the Otto-JS security research team, the Microsoft Editor on Microsoft Edge and the enhanced built-in spell checker in Google Chrome exchange your personal information with Google and Microsoft servers.
Specifically, any text input that could be checked by these spell checkers is sent to the two American giants, whether it be on a login page or a form. It could include first and last names, email addresses, birth dates, social security numbers, etc. This applies to all text fields that these spell checkers may look at. If this doesn’t startle you in some way, what comes next might wind up being scarier. In reality, the Otto-JS team did find far worse.
Chrome and Edge’s spell check feature leak your data and passwords
The company’s managers examined the scripts’ operation and discovered that pressing the button to display the just-typed password also sent it to the servers of Google and Microsoft.
“What is concerning is how easy it is to activate these features and that most users will activate them without really realizing what is going on in the background” said the Otto-JS co-founder in the company’s statement .
Unlike the improved Chrome spell checker, which comes with the browser by default. The user must voluntarily install the Microsoft Editor extension in Edge.
The Otto-JS team came up with a potent illustration to show the possible harm that these extensions could cause. A user’s password is sent to Google’s servers when they login to Alibaba Cloud, according to screenshots that the business has made available. However, neither Google nor Microsoft are connected to the service in any way. This vulnerability, which Otto-JS calls “Spell-jacking,” can affect any internal corporate network or cloud architecture.
After alerting some of the sector’s titans to the breach, Otto-JS assisted them in making the appropriate adjustments. For the teams in charge of the password manager from LastPass, for example, this is true. additionally, Amazon Web Services’ security. Their security team recently made changes to the application’s code to prevent spell checkers from accessing text regions containing private information.