your passwords in plain text because of the spell checker!

Improved spell checkers in Chrome and Edge share your personal information with Google and Microsoft servers. Passwords are also affected.

Cybersecurity specialist Otto-JS warns of Chrome and Edge’s enhanced spell-checking features. Both of these very popular browsers have tools to help the user correct spelling errors; or make style suggestions. Handy tools that leak your passwords, as explained by Otto-JS researchers. They explain these advanced features in a blog post share too much personal informationetc. on Google and Microsoft servers.

Hackers even leak passwords

All data entered into formulas such as name, name, Date of birth, email address where social security number can move to the servers of two American giants. An unsurprising experience (see below), but transformative it’s more uncomfortable where there are passwords. Security experts claim that clicking the “Show password” button will allow an advanced spell checker to send your password to Google and Microsoft servers. This is for society “tantamount to hacking your data” and gives several examples.

Josh Summitt, co-founder and CTO of Otto-JS, made this discovery while testing the behavior of scripts. “The concern is how easily these features are enabled and most users will enable them without realizing what’s going on in the background”, the expert explains. The video describes the words of the Otto-JS team.

The firm also released screenshots showing a user trying to log into Alibaba Cloud. We can see that his password is sent to Google servers; although this service has nothing to do with the American giant. For Otto-JS, this “spell charm” can be dangerous for users and businesses because they threaten privacy and data protection.

Alibaba Cloud login page. © Otto-JS

How do I turn off the spell check feature?

The topic is a concern and Otto-JS has shared this discovery with key players in the market. Entrusts to groups responsible for the security of the companyAmazon Web Services (AWS) or LasPass is already in action “to alleviate the problem”. In particular, they try to prevent spell checkers from retrieving sensitive data.

Otto-JS Alibaba Google
With an improved spell checker, login information from Alibaba Cloud is sent to Google servers. © Otto-JS

It should also be noted that these improved spell check functions is not enabled by default. In Google Chrome, only the basic fixer is enabled by default. To activate this function, you need to go to the browser settings.

To check, you must first click on the three vertical dots located in the upper right. Then you need to log in Parametersthen go SGoogle services/Synchronization. You will find it in this window Improved spell checker and choose to enable or disable it. Note that Google identifies it as being sent by Chrome “the text you typed in the browser” to correct spelling errors.

In Edge, the approach is different, and to add this feature, you need to install an extension called Microsoft Editor. Therefore, the user must decide to install it voluntarily in order to activate it. Note that this may depend on and previous version on your computer the extension is also available for Chrome.

However, this new case confirms that it is better to think twice before activating or installing an extension in your browser. This should not restore the image of these two giants, members of GAFAM, known for their greed in personal information. In turn, Otto-JS advises not to specify the password.

Leave a Reply

Your email address will not be published. Required fields are marked *