Popular Browsers Leaking Sensitive User Information

What Browsers Are Affected?

Sensitive user information, such as usernames, emails, and passwords, has been found to be leaking from spell-checkers integrated into Google Chrome and Microsoft Edge when users put in details on websites and cloud-based apps.

What's is Spell-Jacking?

Researchers at Otto JavaScript Security have identified a vulnerability called “spell-jacking”, which could allow cybercriminals access to personally identifiable information in popular enterprise applications such as Alibaba, Amazon Web Services, Google Cloud, LastPass and Office 365. Details of the issue can be found in a blog post released on September 16th.

Josh Summit, co-founder and CTO of Otto-js, found the leakage when researching how browsers reveal private data when Chrome’s Enhanced Spellcheck and Edge’s MS Editor are enabled.

Summit discovered that when using certain web browsers, spell-check features would transfer information typed into form fields like usernames, emails, birthdays, and Social Security numbers to Google and Microsoft when filling out forms on websites or services.

The “show password” feature of Chrome and Edge can lead to the leakage of user passwords, as this triggers the transmission of the data to servers belonging to Google and Microsoft.

What's the Privacy Risk?

In an effort to analyze leakage of personally identifiable information (PII), Otto-js researchers tested over 50 apps used frequently by people. They divided these 30 applications into six categories – banking, cloud office tools, healthcare services, government sites, social networks and e-commerce websites – using the most popular in each industry. To show how this leakage can occur, they posted a video on YouTube.

Of the 30 websites tested in the control group, almost 97% transmitted PII to Google and Microsoft, while 73% sent passwords when “show password” was clicked. Despite this, the issue had not been fully addressed since some just didn’t have the “show password” feature, reported by researchers.

Researchers discovered that Google had already resolved the email and some service issues, but were still vulnerable in Web services, with Google Cloud Secret Manager being a prime example.

Auth0, a well-known single sign-on provider, was the sole website aside from Google that had successfully resolved the problem in the absence of being included in the research team’s investigations, they stated.

For further information and how to avoid this issue, read this article.