Google Chrome y Microsoft Edge

Google Chrome and Microsoft Edge leak passwords through spell check

Google Chrome and Microsoft Edge introduced more powerful spell checkers not so long ago that should contribute to better writing, however, according to the otto-js research teamthese have also been revealed as mechanisms that allow the two corporations to send sensitive data such as email addresses, usernames, dates of birth, social security numbers, contact information, payment data, other sensitive identification data (such as the DNI in Spain) and even the password in case of using the feature that allows it to be displayed.

otto-js has discovered that, depending on the website the user visits (that is, filtering does not occur with all websites), the Improved spell checker for Google Chrome and Microsoft Edge Editor (also an improved spell checker) are able to send the responsible companies practically any data that the user enters in the forms.

Email is not something especially compromising without the password and if a strong one is used that is difficult to break by brute force (more than a dozen characters and combining letters, numbers and strange characters), but It is not a dish of good taste that data such as the password, the DNI, the social security number and the payment numbers end up on the servers of Google and Microsoft without warning the user.

As we have already said, the password issue seems to have an additional requirement, and that is to use the feature that allows it to be displayed, which is generally used to see if it has been typed correctly in an environment in which the user is alone. The researchers have tested the Alibaba login form.

Websites capable of reproducing data breaches include Office 365, Alibaba’s cloud service, Google Cloud, Amazon Web Services (AWS), and password manager LastPass. As reported by otto-js through updates to the entry published on its official blog, the last two have introduced the necessary mitigations to prevent the leak from happening again. For this they have added spellcheck=false in all input fields on your forms to block spell checking.

The middle BleepingComputer has also done other research which has been able to add CNN, Facebook, SSA.gov (US Social Security), Bank of America and Verizon to the otto-js list, so those websites are also contributing , unintentionally, to leak data that should be exclusively private to the user.

In total, otto-js has investigated more than 50 websites and divided 30 of them into a control group covering six categories, which are Online Banking, Cloud Office Tools, Medical Services, Government Institutions, Social Media and electronic commerce. Of those 30 websites belonging to the control group, 96.7% send personal data to Google and Microsoft servers through the enhanced spell checker. Secondly, when using the show password feature, 73% end up leaking it.

#gallery-1 { margin: auto; } #gallery-1 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 50%; } #gallery-1 img { border: 2px solid #cfcfcf; } #gallery-1 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

How to not have the enhanced spell checker in Google Chrome and Microsoft Edge

Luckily, the bug is localized to a very specific feature that can be easily disabled. We recommend following these steps to protect privacy and above all to prevent personal data from being sent to the wrong person.

at edge, Microsoft Publisher is actually an extension that is installed separately, although the browser also apparently has an implementation present in “Use typing assistance”, within the Languages ​​section, which is checked by default. For more security, it would be advisable to use the basic check or disable typing assistance altogether.

In Google Chrome the process is similar and it is also not something that is enabled by default. In the same Languages ​​section, you must mark “Basic spell check” if you do not opt ​​for total disabling.

It seems that the disabling of spell checking from the web forms themselves will have to become a standard in order to more effectively protect users, although that does not mean that users do not have to take the necessary measures. You know, when it comes to privacy and security, every precaution that is taken ends up being little.


Posted

in

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *