Google and Microsoft spell checkers leak personal data

Chrome and Edge search engine fixers save and send sensitive data, including passwords, to Google and Microsoft servers. This affects both individuals and businesses.

A major flaw has been discovered in spell checkers from Google and Microsoft. Thus, all text fields that can be analyzed by these spell checkers, in Chrome and Edge are affected.

Whether it is a form or a login page, the contents entered in a text field are likely to be sent to Google and Microsoft. This may include surnames, first names, e-mail addresses, date of birth or even social security numbers. And especially the passwords…

This breach is called Spell-Jacking and could cause big problems for consumers and major industries when it comes to privacy, data protection and client-side security.

This problem also arises for companies with regard to the exposure of internal information such as databases and the security of customer data.

Alert companies

The teams of researchers in Otto-JS security discovered the spell checker leak while testing their own system.

“If the ‘show password’ feature is enabled, the feature sends the password to third-party servers. While researching data leaks in different browsers, we found a combination of features that when enabled , will unnecessarily expose sensitive data to third parties like Google and Microsoft,” says Otto JS CTO Josh Summitt.

Screenshots published by the company show that when a user logs into Alibaba Cloud, their password is sent to Google’s servers.

To demonstrate the flaw, the teams tested more than 50 websites. Otto-JS, revealed the existence of this breach to several industry giants including Amazon Web Services and LastPass, which corrected the situation. Others like Office 365, Alibaba Service Cloud, and Google Cloud have, to Otto-JS’s knowledge, not yet done so. Otto-JS advises companies in particular to remove the possibility of displaying the password.

Leave a Comment