Most Viewed Content:

Tesla executives: Model 3 / Y is too good to sell

Martin Viecha, head of investor relations for Tesla, was...

Intel’s 13th generation Core revealed to have cut PCIe 5.0 SSD support

Intel's 12th generation Core released last year not only...

Jim Keller: Innovation is happening, RISC-V will win

In the global market, x86 architecture in the high-performance...

Security firm warns: Don’t activate Edge, Chrome’s enhanced spell-checking features

If you’re using Edge and Chrome’s enhanced spell-checking features, it’s time to give them up, as a new report shows that the feature can actually send your form data to the tech giants that own the aforementioned browsers.

It occurs when Chrome’s Enhanced Spell Checker and Edge’s Microsoft Editor Spelling & Grammar Checker browser plugins are manually activated by the user, according to disclosures by a JavaScript security firm called otto-js. This situation. Still, it’s worth noting that both browsers have their own basic spell checkers enabled by default, but they don’t pose a security risk because they behave differently than the enhancements.

When activated, these features can send data to Microsoft and Google. The information sent depends on the forms you fill out on a particular website, which means the more information you share and the more form fields you fill out, the more data you might send to these companies when you activate Enhanced Spell Check. The website you are visiting may ask you to provide personally identifiable information (PII) like your full name, home address, email address, social security number, passport number, driver’s license number, credit card number, date of birth, etc. To make matters worse, your passwords could also be sent to Microsoft and Google, according to the otto-js research team, calling the process “spell-checking.”

“If ‘Show Password’ is enabled, the feature will even send your password to their third-party server,” shared Josh Summitt, co-founder and CTO of otto JavaScript Security, when testing the company’s script behavior detection “While researching data leaks across different browsers, we discovered a combination of features that, if enabled, would unnecessarily expose sensitive data to third parties such as Google and Microsoft. Concerningly, these features are very It’s easy to enable, and most users will enable these features without really realizing what’s going on in the background.”

Spell-checking can happen on all websites, as long as you are using Edge and Chrome and have their enhanced spell-checking feature. To demonstrate this, otto-js shared how it happened when they used employee credentials (specifically passwords) to log into the company’s Alibaba Cloud account, which was later sent to Google. Additionally, otto-js shared a video demo to show how spell-checking exposes a company’s cloud infrastructure — including servers, databases, company email accounts, and password managers.

This video uses a common workplace scenario to show how easy it is to enable browser-enhanced spell checking and how employees can unknowingly expose the company,” otto-js added, “Most CISOs Shocked to learn that their company’s management credentials were unknowingly shared in plaintext with a third party, even a third party they generally trust. “

The JavaScript security firm also further highlighted the names of companies and services that may be affected by the issue. It includes Alibaba — Cloud Services, Office 365, and Google Cloud — Secret Manager. AWS – Secrets Manager and LastPass were initially on the list, but otto-js says the two companies have fully mitigated the problem.

In addition to keeping Chrome’s enhanced spellcheck feature and Edge’s Microsoft Editor spelling and grammar checker browser plugin untouched and disabled, otto-js says the company can prevent spell-checking issues by adding “spellcheck=false”.

Otto-js advises: “Companies can mitigate the risk of sharing customer PII – by adding ‘spellcheck=false’ to all input fields, although this may cause problems for users. Or you can add it only for sensitive data form fields. Companies can also remove the ‘show password’ feature. This won’t prevent spell-checking, but it will prevent user passwords from being sent. Companies can also use client-side security software like otto-js to monitor and control page Three-party script.”

The security firm said it doesn’t yet know whether data transmitted to Microsoft and Google is being stored or how it is managed. Microsoft still hasn’t commented on this, but a Google spokesperson told BleepingComputer — “Google doesn’t attach it to any user identity, it’s just a temporary process on the server.”

Latest

NVIDIA confirms the newly designed GeForce RTX Logo

In its latest "Project Beyond" promotional video, NVIDIA confirmed...

DJI Mavic 3 Classic Edition exposed: Mavic 3 with the same main camera

The DJI Mavic 3 has a professional-grade Hasselblad camera,...

Hackers want to sell GTA5 source code, ask for no less than five figures

After confirming that hackers stole the source code for...

Tesla may be re-equipped with LIDAR or will be announced at the end of September

According to foreign media reports, recently the famous Tesla...
spot_img

Newsletter

Don't miss

NVIDIA confirms the newly designed GeForce RTX Logo

In its latest "Project Beyond" promotional video, NVIDIA confirmed...

DJI Mavic 3 Classic Edition exposed: Mavic 3 with the same main camera

The DJI Mavic 3 has a professional-grade Hasselblad camera,...

Hackers want to sell GTA5 source code, ask for no less than five figures

After confirming that hackers stole the source code for...

Tesla may be re-equipped with LIDAR or will be announced at the end of September

According to foreign media reports, recently the famous Tesla...

Korea to unveil 6G-centric network strategy in October

South Korea will unveil its next-generation network strategy next...
Threza Gabriel
Threza Gabrielhttps://www.techgoing.com
TechGoing is a global tech media to brings you the latest technology stories, including smartphones, electric vehicles, smart home devices, gaming, wearable gadgets, and all tech trending.
spot_imgspot_img

AMD Announces Founding Member of the New PyTorch Foundation

AMD has joined the newly formed PyTorch Foundation as a founding member, according to official news from AMD. The foundation will be part of...

OPPO Find X5 Pro phone DxOMark image score is out: 130 points, ranked 22nd

DxOMark announced the total image score of OPPO Find X5 Pro. The OPPO Find X5 Pro has a total image score of 130 points,...

TSMC to obtain high NA EUV lithography in 2024 to boost 2nm process production

TSMC research general Dr. Yu-Chieh Mi has revealed that TSMC will acquire ASML next-generation extreme ultraviolet micro-imaging equipment (high-NA EUV) in 2024 to develop...