Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Google Microsoft Privacy

Microsoft Edge, Google Chrome Enhanced Spellcheck Feature Exposes Passwords (neowin.net) 28

Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features. Neowin reports: As an additional note, even passwords can be sent by these features, but only when a 'Show Password' button is pressed, which converts the password into visible text, which is then checked. The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure.

Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed 'spell-jacking'. What's most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.

This discussion has been archived. No new comments can be posted.

Microsoft Edge, Google Chrome Enhanced Spellcheck Feature Exposes Passwords

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Monday September 19, 2022 @07:05PM (#62896571)

    don't use edge or chrome. Use firefox and no issue!

  • by Dagmar d'Surreal ( 5939 ) on Monday September 19, 2022 @07:15PM (#62896589) Journal

    I mean, it's not like the HTML attribute spellcheck=false hasn't been around for ages now, and is specifically cited in lots and lots of documentation as something you are supposed to apply to any field that contains or might contain sensitive data.

    Trying to frame this as a problem caused by web browsers is kinda sad.

    • worse yet the clickbait ass title, passwords have to do the inherent unsafe "reveal" to be gobbled up here.
    • by Anonymous Coward on Monday September 19, 2022 @08:06PM (#62896699)
      How is this somehow the fault of web developers? Spellcheck is something that happens locally in the browser, it doesn't require online services to do this (and doing so would just introduce latency), so why do Google and Microsoft think that their telematics should hoover up every single piece of data typed into their browsers?
      • Is there a standard to how spellcheck should be done that states taht it's supposed to happen locally? If not, then MS and Google have the right to implement their features as they see fit (though it's scummy if there isn't a disable-online-spellcheck function). If there's an attribute that web developers are overlooking, then it's time for them to stop overlooking it.
        • Is there a standard to how spellcheck should be done that states taht it's supposed to happen locally?

          Yes, the standard that introduction of new features must not introduce new insecurity to existing deployments because backwards compatibility is a critical requirement on the web.

          If not, then MS and Google have the right to implement their features as they see fit (though it's scummy if there isn't a disable-online-spellcheck function).

          Browser vendors can implement spying (e.g. telemetry), key logging (e.g. improved typography) , embed RATs (e.g. seamless cross-device session resumption features) and overriding explicit intent (e.g. disabling autocomplete does not really apply to the browsers brand new embedded password manager) however they see fit as well. The

        • If I'm writing up sensitive case notes into my secure, browser-based patient information system, I expect the spellchecker to be available to me.

          I do *not* expect the sensitive PII that I am entering to be transmitted to third-parties by my web browser.

          This is not a web developer issue, but a browser issue.

      • > so why do Google and Microsoft think that their telematics should hoover up every single piece of data typed into their browsers?

        You know the answer to that.

    • by nuntius ( 92696 ) on Monday September 19, 2022 @08:11PM (#62896703)

      Umm, no. This answer redirects blame from bad actors to third parties. Web devs aren't always at fault.

      This is unacceptable browser behavior. Spell check does not imply transmission to a server. It worked locally for decades.

      The spellcheck attribute was not defined to prevent transmission to malicious servers. It is merely a hint whether to check for spelling errors.

      Further, this answer requires every field on every website in the world to work around a recently introduced bad behavior. Web developers may know that some fields are sensitive but they can never know that all data entered into a particular field will not be sensitive.

    • by Waccoon ( 1186667 ) on Tuesday September 20, 2022 @04:01AM (#62897393)

      Web browsers have had a dedicated identifier for "password" fields for a long time. You're insisting that web developers need to explicitly tell a web browser not to spellcheck a password field? Really? I mean, even completely overlooking the fact that telemetry has gotten out of control?

      Garbage like this is why I quit web development.

    • I mean, it's not like the HTML attribute spellcheck=false hasn't been around for ages now, and is specifically cited in lots and lots of documentation as something you are supposed to apply to any field that contains or might contain sensitive data.

      No it isn't. I've never in my entire life seen any such documentation. It's not in WHATWG or MDN. The only reference to spellcheck having to do with security is that it is automatically disabled for password input fields. Leakage is from autocomplete features not the spellchecker.

      Expecting the world to be aware of and develop countermeasures for every bit of evil shit implemented by browser vendors and then blaming them is not a concept I can support. The industry should not allow this type of breakage

  • .dict (Score:5, Insightful)

    by betsuin ( 5812894 ) on Monday September 19, 2022 @07:53PM (#62896671)
    Why does the browser have send everything back to some central server to check spelling?
    It's not as though local spell checking is not a thing.
    Ah, of course - it is all about scraping the maximum amount of user data - FFS.
    • Re:.dict (Score:5, Insightful)

      by MikeDataLink ( 536925 ) on Monday September 19, 2022 @08:01PM (#62896689) Homepage Journal

      Ah, of course - it is all about scraping the maximum amount of user data - FFS.

      If only I had mod points I'd +1 you.

      We now live in a world where basically every company we deal with and every app/website/etc we visit is literally mining our every keystroke. It's bullshit. And we as the human race should demand it stops.

    • by Paxtez ( 948813 )

      FWIW, YMMV, etc.

      But I have very bad spelling, I will often butcher a word so badly that normal spell check (non-enhanced Chrome, Word, etc.) will not even have it on the suggested word list.

      These will normally show up with enhanced spell check.

      Also, this feature is opt-in. Annoyingly so when every once and awhile it just turns off by itself.

      My 1/50th USD, this is pretty silly. Normally the "show password" button does that by changing the input type from "password" to "text", so how would the browser make

  • by gillbates ( 106458 ) on Monday September 19, 2022 @08:46PM (#62896743) Homepage Journal

    I need to check the battery_horse_staple^M^M^M^M^M^M^M^M^M^M^M^M^M^ies in my smoke detector...

  • Electron apps (Score:5, Interesting)

    by cyberpunkrocker ( 1649121 ) on Monday September 19, 2022 @11:58PM (#62897035)

    Actually, this raises a concern about the Electron-based apps. Electron, as you know, embeds a Chromium engine in it, and as far as I know spellchecking is enabled by default in Electron. Some apps does not use the builtin spellchecking, or have disabled it, but others have it enabled. The problem is, there's no way an user can turn the spellchecking on or off on Electron-based apps (unless the app developer provides an interface to do so).

  • Are Brave and Chromium affected?

  • That's what they do.
  • It is bad enough that Google, Microsoft, etc keep trying to get us to use more of their apps just so they can spy on us and sell our data.
    And it is a shame that the governments of the world are not cracking down harder on them.

    But when those apps leak our data, it should lead directly to court cases and MASSIVE fines.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...