Chrome and Edge’s spell checker leaks your passwords

Microsoft Edge’s spell checker and Chrome’s improved spell checker send the sensitive data you type, including your passwords, to Google and Microsoft servers.

The Otto-JS security research team discovered that the Microsoft Editor on Microsoft Edge and the enhanced spell checker built into Google Chrome share your personal data on Google and Microsoft servers.

Concretely, all content entered in a text field that can be analyzed by these spell checkers, whether it is a login page or a form, is sent to the two American giants. This may include first and last names, email addresses, date of birth, social security number, etc. All text fields that can be analyzed by these spell checkers are affected. If this is only half surprising, the sequel turns out to be more frightening. Indeed, the Otto-JS team found much worse.

By testing the behavior of their scripts, the company’s managers discovered that by clicking on the button to display the password they had just entered, it was also sent to the servers of Google and Microsoft. .

“What is concerning is how easy it is to activate these features and that most users will activate them without really realizing what is going on in the background. » the Otto-JS co-founder said in the company’s statement.

Indeed, if the Microsoft Editor is an extension that must be voluntarily installed by the user in Edge, this is not the case of the improved spell checker of Chrome which is natively integrated into the browser.

To illustrate the danger that these extensions can represent, the Otto-JS team made an eloquent demonstration. Screenshots published by the company show that when a user logs into Alibaba Cloud, their password is sent to Google’s servers. But the service has nothing to do with Google or Microsoft. This breach, called “Spell-jacking” by Otto-JS, can be transposed to any cloud infrastructure or internal corporate network.

© Otto-JS – Alibaba Cloud Login Page
alibaba cloud Otto JS
© Otto-JS – Alibaba Cloud user’s login data is sent to Google’s servers thanks to the improved spell checker

Otto-JS, who revealed the existence of this breach to several giants in the sector, has already enabled several of them to correct the situation. This is the case, for example, of the teams in charge of Amazon Web Services security or the LastPass password manager. Their security teams cracked the code of their application to prevent spell checkers from coming to analyze text fields containing sensitive data.

Source :


Leave a Comment