More than a simple browser, Edge and Chrome are now essential tools for users, largely because of the extra they bring. Microsoft and the Google seek to add new features and thus keep users in these tools.
One of the most interesting features is even the ability to check spelling, to ensure the best text for users. Unfortunately, this helper may be having access to more than intended. Unbeknownst to users, their passwords are sent to Microsoft and Google.
It is not unusual for users to trust Google and Microsoft to store your passwords. These data managers communicate and are held securely, not having access to user data in a clear way, as would be expected.
What has now been discovered calls into question much of this security in the Edge and in Chrome, not because of password management, but because they are clearly being sent where they shouldn't be. By using Microsoft and Google's spell checking services, these are eventually transmitted.
What the otto-js research team discovered shows that when asking to see the filled in or written password, it ends up being sent. This happens to those who have spell checking active, without the user knowing or even being communicated about this possibility.
In addition to revealing this scenario, valid in many of the main sites, this team also presented two possible solutions for this problem. The first is to disable spell checking in both Chrome and Edge.
The second, more complicated to apply, and not dependent on users, requires changing the html of the pages. When adding the code “spellcheck=false” in the form fields, this data is not sent. Despite being known, most sites do not implement this simple change.
Ideally, for most users, it is even to disable spell checking in Chrome and Edge, thus avoiding sending this data. There is no information about what Google or Microsoft do with this information, but the ideal is to prevent this data from getting out of users' control.
Google statement on this situation – 20/09/2022
Enhanced Spell Check proactively requires user consent. The configuration description states:
'The improved spell check uses the same spell checker used in Google search. The text that the user types into the browser is sent to Google.'
Text entered by the user may contain sensitive personal information and Google does not associate it with any user identity. Also, it only processes it on the server temporarily. To further ensure user privacy, we will work to PROACTIVELY exclude passwords from spell checking.
We appreciate the collaboration of the security community and are always looking for ways to better protect user privacy and confidential information.
