Sensitive information is sent to an external server via the extended spell check function in Google Chrome and Microsoft Edge

Google Chrome and Microsoft Edge have an 'extended spell check' function that uses server data to check whether the word entered by the user is spelled correctly. Cybersecurity company otto points out that basically all the information in the input field is sent to an external server when using this 'extended spell check'. If you select 'Show password', even the password will be sent.

Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords | otto

Microsoft Edge and Google Chrome enhanced spellcheck feature exposes passwords - CDJapan

Specifically, a video has been released that briefly shows how the information leaks.

Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords-YouTube

While working in a spreadsheet, check a piece of text with enhanced spell checking.

At that time, Enhanced Spelling Check is the same spell checking as Google Search, and you will be warned that the text you enter will be sent to Google.

In the same browser, continue to enter AWS confidential information. Your ID and password are information that should not be known to anyone.

However, when I check the logs, the ID I entered was sent to Google's spell-checking server.

So was the password, of course.

This method of obtaining information is called 'spelljacking' and poses a serious security problem.

According to Josh Summit, co-founder and chief technology officer of otto, this was found during an in-house script operation check, saying, ``We checked for data leaks in various browsers. I found a combination of features that, when enabled, unnecessarily exposed sensitive data to third parties.The problem is how easy it is to enable these features, and what most users do in the background. It's about enabling features without actually knowing what's happening.'

Walter Horn, vice president of engineering at otto, said, ``The interesting thing [about the password leak] is that it's caused by the unintended interaction of two functions. Both are independent functions and are beneficial to users. Chrome and Edge's enhanced spell-checking greatly upgrades the default dictionaries, and similarly, services that offer the option to view passwords in clear text are more accessible to users with disabilities. , when used together, the password is exposed.'

otto's research has confirmed that information is sent via Office 365, Alibaba Cloud Service, and Google Cloud Secret Manager. Also, AWS Sevret Manager and Last Pass have already dealt with the problem.

In addition, otto identifies websites with opportunities to access personally identifiable and sensitive information (PII) as “online banking”, “cloud office tools”, “health management”, “government relations”, “social media”, “e Commerce”, and tested the top 5 sites in each category. Then, it is clear that 96.7% of sites send PII to Google and Microsoft servers when using extended spell check.

Also, when using 'Show Password', 73% of the sites sent the password. In addition, the remaining 27% of sites were not able to respond, it was just that there was no option to 'show password'.

The immediate response from the user side is 'Do not use extended spell check in Chrome and Edge'. Enhanced spell checking is disabled by default in all browsers, but once enabled, it is not automatically disabled.

For Google Chrome, click the menu icon in the upper right, select 'Settings', and go to the 'Language' tab.

If you are using a spell checker, you should be fine as long as 'Basic spell check' is checked.

Similarly for Microsoft Edge, click the menu icon in the upper right, select 'Settings', and move to the 'Language' tab.

It is OK if you select 'Basic' instead of 'Microsoft Editor' in the item 'Use document creation support'. In the first place, it is also ant to disable 'Use document creation support' itself.

According to otto, it is completely unclear whether the transmitted data is managed with the same level of security as known confidential data, or whether it is managed as metadata to improve the model.

in Software,   Security, Posted by logc_nt