Microsoft Edge, Google Chrome Enhanced Spellcheck Feature Exposes Passwords (neowin.net) 8
Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features. Neowin reports: As an additional note, even passwords can be sent by these features, but only when a 'Show Password' button is pressed, which converts the password into visible text, which is then checked. The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure.
Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed 'spell-jacking'. What's most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.
Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed 'spell-jacking'. What's most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.
don't use edge or chrome. Use firefox and no issue (Score:3)
don't use edge or chrome. Use firefox and no issue!
...or, you could blame bad web developers. (Score:5, Insightful)
I mean, it's not like the HTML attribute spellcheck=false hasn't been around for ages now, and is specifically cited in lots and lots of documentation as something you are supposed to apply to any field that contains or might contain sensitive data.
Trying to frame this as a problem caused by web browsers is kinda sad.
Re: (Score:1)
Re: (Score:2)
Umm, no. This answer redirects blame from bad actors to third parties. Web devs aren't always at fault.
This is unacceptable browser behavior. Spell check does not imply transmission to a server. It worked locally for decades.
The spellcheck attribute was not defined to prevent transmission to malicious servers. It is merely a hint whether to check for spelling errors.
Further, this answer requires every field on every website in the world to work around a recently introduced bad behavior. Web developers
.dict (Score:4, Insightful)
It's not as though local spell checking is not a thing.
Ah, of course - it is all about scraping the maximum amount of user data - FFS.
Re: (Score:3)
Ah, of course - it is all about scraping the maximum amount of user data - FFS.
If only I had mod points I'd +1 you.
We now live in a world where basically every company we deal with and every app/website/etc we visit is literally mining our every keystroke. It's bullshit. And we as the human race should demand it stops.