Google Chrome And Microsoft Edge Are Vulnerable To Spell-jacking: Otto-js

The advanced spell checking features of Google Chrome and Microsoft Edge can cause problems for users. otto-js researchers found that Enhanced Spellcheck in Chrome and MS Editor in Edge could inadvertently leak sensitive information to third parties such as Google and Microsoft servers.

otto-js, a JavaScript security company, has found that these extensive spell checking features can come at the cost of user privacy. Both can send form/field data, including personally identifiable information (PII), to Google and Microsoft. Worryingly, they also pose a risk of spell hijacking, i.e. exposing credentials if users click show password.

Users must necessarily enable the extended and non-basic spell checking features available in Chrome and Edge. Risky PII includes users’ names, email ids, dates of birth, social security numbers, or anything else they enter into fields when extended spell checking is enabled.

– Advertising –

otto-js researchers discovered this security flaw while testing the company’s scripting behavior detection. Josh Summitt, co-founder and CTO of otto-js, said: “What is concerning is how easily these features are enabled and the fact that most users will enable these features without really realizing it. of what is happening in the background. »

The company tested more than 50 websites in different control groups in online banking, cloud office tools, healthcare government, social media and e-commerce, of which 96.7% disclosed personal information to Google and Microsoft via Enhanced Spellcheck in Chrome and MS Editor in Edge. Additionally, just over 73% of the websites tested sent passwords to Google and Microsoft.

The researchers highlighted the top five websites: Office 365, Alibaba Cloud Service, Google Cloud Secret Manager, AWS Secrets Manager, and LastPass. The latter two have alleviated the problem at the time of this writing.

The fact that credentials can be exposed puts a company’s cloud infrastructure at risk, including servers, databases, corporate email accounts, and password managers. “One of the most interesting things about this kind of exposure is that it’s caused by the unintended interaction between two features that are, in isolation, both beneficial to users,” said Walter Hoehn, VP -president of engineering at otto-js.

See more: Five Chrome Extensions Found Discreetly Collecting User Data: Remove Them Now!

The company shared a demo video of spell hijacking on AWS Secrets Manager by pressing show password on Chrome and Edge:

Tests on websites outside of the control groups found adult content and credit reporting agencies leaking personal information. However, porn sites were relatively safer because they didn’t have the show password option.

What can users do to prevent spell hijacking on Chrome and Edge?

In Chrome, spell check is enabled by default, but enhanced spell checking must be enabled. Microsoft Editor is available as an add-on for Edge. So, keeping Chrome settings for enhanced spell checking as default and not installing Editor in Edge should mitigate spell hijacking.

To check if Enhanced Spell Check is disabled in Chrome, click the vertical ellipsis in the upper right corner of a Chrome window > Settings > Languages ​​> Spell Check. Disable it completely or select the radio button next to “Basic spell check”.

However, websites can mitigate the problem by updating the HTML code and adding “spellcheck=false” to all input fields or only for sensitive fields. “Companies can also remove the ability to display the password. It won’t prevent spell hijacking, but it will prevent user passwords from being sent. »

Let us know if you enjoyed reading this news on LinkedIn, To babbleWhere Facebook. We would like to hear from you!


Leave a Comment