Spellcheckers are an extremely helpful feature that boost productivity by allowing us to quickly and more easily give our typed documents and inputs a proofread and check. Unfortunately, however, when it comes to in-built web browser spellcheckers there is a security weak point that we need to take into account. Are they checking our passwords and, if so, is anybody able to access that spellchecking data. The answers to these questions seem to be troubling. Let’s check it out.
A research report by JavaScript cybersecurity specialists otto-js has unearthed some worrying findings about the spellchecker features on the Google Chrome and Microsoft Edge web browsers. Yes, they are helping us boost our productivity but they are also sharing our password details with websites whenever we are trying to log into your web accounts and services.
According to the report, there are three primary websites and services that are exposed to this vulnerability. These are Office 365, Alibaba – Cloud Service, and Google Cloud – Secret Manager. AWS – Secret Manager and LastPass were also vulnerable to the issue, but they have already fully mitigated the issue according the otto-js report.
Josh Summit at otto-js had this to say about this rather novel vulnerability:
“Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms […] If ‘show password’ is enabled, the feature even sends your password to their 3rd-party servers.”
Unfortunately, until this vulnerability is mitigated by the affected sites there is nothing you as a user can do to safeguard your web usage apart from disabling your browser’s spellchecker. In truth, however, this isn’t a massive price to pay as although spellcheckers are useful on web browsers, they are nowhere near as useful as they are on word processors.
In other cybersecurity news, scammers have been circulating fake Word docs packed with almost undetectable malware.