Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.
shows employee credentials(password) being sent to Google while logging into the company’s Alibaba Cloud Account.
otto-js co-founder & CTO Josh Summitt discovered the spellcheck leak while testing the company’s script behaviors detection.
“If ‘show password’ is enabled, the feature even sends your password to their 3rd-party servers. While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What’s concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background.” Josh Summitt
oth security teams from AWS and LastPass have responded to the outreach and both have already mitigated the issue.
- Office 365
- Alibaba – Cloud Service
- Google Cloud – Secret Manager
- AWS – Secrets Manager (UPDATE: has already fully mitigated the issue)
- LastPass (UPDATE: has already fully mitigated the issue)
Source: Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords | otto