Most Viewed Content:

Benelli Tornado 552R Bike launched, priced at 32,800 CNY

The Benelli Tornado 552R motorcycle was recently launched, priced...

OpenAI Launched Assistants API, Allowing Developers to Customize AI Assistants with One Click

At today's OpenAI's first developer conference, OpenAI launched the...

Microsoft working on new features for Win11 / Win12: smart notifications, depth-of-field effects

According to the source Albacore (@thebookisclosed), Microsoft is preparing...

Security firm warns: Don’t activate Edge, Chrome’s enhanced spell-checking features

If you’re using Edge and Chrome’s enhanced spell-checking features, it’s time to give them up, as a new report shows that the feature can actually send your form data to the tech giants that own the aforementioned browsers.

It occurs when Chrome’s Enhanced Spell Checker and Edge’s Microsoft Editor Spelling & Grammar Checker browser plugins are manually activated by the user, according to disclosures by a JavaScript security firm called otto-js. This situation. Still, it’s worth noting that both browsers have their own basic spell checkers enabled by default, but they don’t pose a security risk because they behave differently than the enhancements.

When activated, these features can send data to Microsoft and Google. The information sent depends on the forms you fill out on a particular website, which means the more information you share and the more form fields you fill out, the more data you might send to these companies when you activate Enhanced Spell Check. The website you are visiting may ask you to provide personally identifiable information (PII) like your full name, home address, email address, social security number, passport number, driver’s license number, credit card number, date of birth, etc. To make matters worse, your passwords could also be sent to Microsoft and Google, according to the otto-js research team, calling the process “spell-checking.”

“If ‘Show Password’ is enabled, the feature will even send your password to their third-party server,” shared Josh Summitt, co-founder and CTO of otto JavaScript Security, when testing the company’s script behavior detection “While researching data leaks across different browsers, we discovered a combination of features that, if enabled, would unnecessarily expose sensitive data to third parties such as Google and Microsoft. Concerningly, these features are very It’s easy to enable, and most users will enable these features without really realizing what’s going on in the background.”

Spell-checking can happen on all websites, as long as you are using Edge and Chrome and have their enhanced spell-checking feature. To demonstrate this, otto-js shared how it happened when they used employee credentials (specifically passwords) to log into the company’s Alibaba Cloud account, which was later sent to Google. Additionally, otto-js shared a video demo to show how spell-checking exposes a company’s cloud infrastructure — including servers, databases, company email accounts, and password managers.

This video uses a common workplace scenario to show how easy it is to enable browser-enhanced spell checking and how employees can unknowingly expose the company,” otto-js added, “Most CISOs Shocked to learn that their company’s management credentials were unknowingly shared in plaintext with a third party, even a third party they generally trust. “

The JavaScript security firm also further highlighted the names of companies and services that may be affected by the issue. It includes Alibaba — Cloud Services, Office 365, and Google Cloud — Secret Manager. AWS – Secrets Manager and LastPass were initially on the list, but otto-js says the two companies have fully mitigated the problem.

In addition to keeping Chrome’s enhanced spellcheck feature and Edge’s Microsoft Editor spelling and grammar checker browser plugin untouched and disabled, otto-js says the company can prevent spell-checking issues by adding “spellcheck=false”.

Otto-js advises: “Companies can mitigate the risk of sharing customer PII – by adding ‘spellcheck=false’ to all input fields, although this may cause problems for users. Or you can add it only for sensitive data form fields. Companies can also remove the ‘show password’ feature. This won’t prevent spell-checking, but it will prevent user passwords from being sent. Companies can also use client-side security software like otto-js to monitor and control page Three-party script.”

The security firm said it doesn’t yet know whether data transmitted to Microsoft and Google is being stored or how it is managed. Microsoft still hasn’t commented on this, but a Google spokesperson told BleepingComputer — “Google doesn’t attach it to any user identity, it’s just a temporary process on the server.”

Latest

Lincoln Z/Adventurer hybrid interior debuts, to launch on March 6th

The new Lincoln Adventurer and Lincoln Z gasoline-electric hybrid...

Stellantis recalls over 350,000 vehicles of Jeep Grand Cherokee and RAM Promaster models

Recently, we learned from foreign media that Stellantis Group...

Annual revenue of Volkswagen Group increased by 15% to 322.3 billion euros

We learned from the Volkswagen Group official that the...

McLaren to launch new supercar by the end of the year equipped with V8 hybrid system

Recently, foreign media reported information about the successor model...

Newsletter

Don't miss

Lincoln Z/Adventurer hybrid interior debuts, to launch on March 6th

The new Lincoln Adventurer and Lincoln Z gasoline-electric hybrid...

Stellantis recalls over 350,000 vehicles of Jeep Grand Cherokee and RAM Promaster models

Recently, we learned from foreign media that Stellantis Group...

Annual revenue of Volkswagen Group increased by 15% to 322.3 billion euros

We learned from the Volkswagen Group official that the...

McLaren to launch new supercar by the end of the year equipped with V8 hybrid system

Recently, foreign media reported information about the successor model...

Leapmotor is expected to launch compact car C16 at Beijing Auto Show

Recently, in a media interview after the Leapmotor launch...
Threza Gabriel
Threza Gabrielhttps://www.techgoing.com
Threza Gabriel is a news writer at TechGoing. TechGoing is a global tech media to brings you the latest technology stories, including smartphones, electric vehicles, smart home devices, gaming, wearable gadgets, and all tech trending.

Mercedes-Benz’s new E 300 L premium/ E 260 L 4MATIC models are launched

Mercedes-Benz’s new long-wheelbase E-Class E 300 L premium model and the new E 260 L 4MATIC were announced today: E 260 L4MATIC sedan 475,000 RMB E...

Google Pixel Fold 2 rendering: 6.4-inch outer screen, 7.9-inch inner screen

Source @OnLeaks recently shared a high-definition CAD rendering of the Google Pixel Fold 2 phone. The diagonal length of the inner screen in the...

Neta L model to launch in April with pure electric version and extended range version

Bitauto said that Neta L will be launched in April. It will be positioned as a medium and large SUV. It will adopt a...