When you write sensitive information, such as passwords, the spell checkers on Edge and Chrome browsers send it to Google and Microsoft servers.
The Microsoft Editor on Microsoft Edge and the improved built-in spell checker in Google Chrome exchange your personal information with Google and Microsoft servers, according to the Otto-JS security research team.
Concretely, whether it’s a login page or a form, any material input in a text field that may be reviewed by these spell checkers is forwarded to the two American giants. First and last names, email addresses, dates of birth, social security numbers, etc. may be part. All text fields that these spell checkers may examine are into this. If this is not somewhat shocking, the following may end to be up being scarier. The Otto-JS team did discover far worse, in fact.
Chrome and Edge’s spell check feature leak your data and passwords
Gizchina News of the week
The company’s managers tested the functionality of their scripts and found that clicking the button to show the password they had just typed also transmitted it to the servers of Google and Microsoft.
“What is concerning is how easy it is to activate these features and that most users will activate them without really realizing what is going on in the background” said the Otto-JS co-founder in the company’s statement .
In contrast to the enhanced Chrome spell checker, which is avilable by default in the browser. The Microsoft Editor in Edge is an extension that the user must willingly install.
The Otto-JS team developed a powerful example to highlight the potential harm that these extensions might provide. According to screenshots provided by the company, when a user connects into Alibaba Cloud, Google‘s servers receive their password. But neither Google nor Microsoft has any association with the service. This exploit, which Otto-JS refers to as “Spell-jacking,” can affect any cloud infrastructure or internal corporate network.
Otto-JS helped some of the sector’s giants make the necessary corrections after informing them of the breach’s existence. This is true, for instance, for the teams in charge of LastPass’s password manager. And the security of Amazon Web Services. Its application’s code hot modifications by their security staff to stop spell checkers from accessing text areas holding private information.
In the following video, you can check how to deactivate the advanced spell checker on Google Chrome browser.