Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday September 20 2022, @09:30PM   Printer-friendly
from the yore-sew-rite! dept.

Your data may be in danger if you use a spellchecker:

If you like to be thorough and use an advanced spellchecker, we have some bad news — your personal information could be in danger.

Using the extended spellcheck in Google Chrome and Microsoft Edge transmits everything you input in order for it to be checked. Unfortunately, this includes information that should be strictly encrypted, such as passwords.

This issue, first reported by JavaScript security firm otto-js, was discovered accidentally while the company was testing its script behaviors detection. Josh Summitt, co-founder and CTO of otto-js, explains that pretty much everything you enter in form fields with advanced spellchecker enabled is later transmitted to Google and Microsoft.

“If you click on ‘show password,’ the enhanced spellcheck even sends your password, essentially spell-jacking your data,” said otto-js in its report. “Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII [personally identifiable information], including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company’s enterprise credentials to internal assets like databases and cloud infrastructure.”

Many people use “show password” in order to make sure they haven’t made a typo, so potentially, a lot of passwords could be at risk here. Bleeping Computer tested this further and found that entering your username and password on CNN and Facebook sent the data to Google, while SSA.gov, Bank of America, and Verizon only sent the usernames.

[...] If you’d rather not have your personal data transmitted to Microsoft and Google, you should stop using the advanced spellchecker for the time being. This means disabling the feature in your Chrome settings. Simply copy and paste this into your browser’s address bar: chrome://settings/?search=Enhanced+Spell+Check.

For Microsoft Edge, the advanced spellchecker comes in the form of a browser add-on, so simply right-click the icon of that extension in your browser and then tap on Remove from Microsoft Edge.


Original Submission

This discussion was created by martyb (76) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Touché) by Anonymous Coward on Tuesday September 20 2022, @09:36PM (4 children)

    by Anonymous Coward on Tuesday September 20 2022, @09:36PM (#1272635)

    If you’d rather not have your personal data transmitted to Microsoft and Google, you should stop using the...

    internet

    • (Score: 4, Interesting) by MostCynical on Tuesday September 20 2022, @11:58PM (1 child)

      by MostCynical (2589) on Tuesday September 20 2022, @11:58PM (#1272664) Journal

      not quite this.

      you can, but using 'safe(r)' browsers and 'good' plug-ins... anything from Google or Microsoft is going to be dubious, but actually doing your homework on the developer/s, licensing and sourcing of browsers, plugins and any program you install is necessary - but only hardened 'geeks' (yes, the mild paranoics) actually bother

      you can't make people comprehend how much they, and their data, is at risk - they just want to 'use' the internet, not understand it

      --
      "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
      • (Score: 0) by Anonymous Coward on Thursday September 22 2022, @01:42AM

        by Anonymous Coward on Thursday September 22 2022, @01:42AM (#1272927)

        Sorry, but your browser is irrelevant. The leaks are built into the hardware and OS, and by design, the entire infrastructure. Privacy on the internet simply does not exist

    • (Score: 5, Insightful) by Rosco P. Coltrane on Wednesday September 21 2022, @12:40AM (1 child)

      by Rosco P. Coltrane (4757) on Wednesday September 21 2022, @12:40AM (#1272668)

      Indeed...

      Here's something else that's disturbing: I don't use Windows often, but sometimes I have to to write .docx files at work.

      The other day, I wrote a report on a field test of one of our products. I imported a photo I shot at the test location and Word immediately showed a disturbingly accurate description of the contents of the image - "Electronic equipment in a forest" or something.

      Meaning my photo was uploaded to a Microsoft server and an AI that proceeded to analyze it without my consent. How is that even legal? Fuck this!

      • (Score: 2) by drussell on Wednesday September 21 2022, @01:39PM

        by drussell (2678) on Wednesday September 21 2022, @01:39PM (#1272754) Journal

        That's absolutely crazy! This bullshit is completely out of control...

  • (Score: 3, Insightful) by kreuzfeld on Tuesday September 20 2022, @09:36PM

    by kreuzfeld (8580) on Tuesday September 20 2022, @09:36PM (#1272636)

    Haven't run into this on Firefox, thank goodness. And for normal spell-checking, good old M-x ispell is still doing the trick for me.

  • (Score: 1, Insightful) by Anonymous Coward on Tuesday September 20 2022, @09:58PM (1 child)

    by Anonymous Coward on Tuesday September 20 2022, @09:58PM (#1272642)

    It's been a long time since I've done anything with web pages. If the text input form doesn't have a "nospellcheck" characteristic, it should. Otherwise, maybe there's some more elaborate JavaScript method to intercept all the input to the form on the page and *only* send it as encrypted text to the appropriate server. Sometimes people look down on web developers, but it can certainly take a lot of pluck to navigate your way through that morass of junk that was never really meant to deliver application in the first place, and has been hacked over the years to deliver them, and the you're trying to deliver them securely? No envy.

    • (Score: 0) by Anonymous Coward on Wednesday September 21 2022, @01:51PM

      by Anonymous Coward on Wednesday September 21 2022, @01:51PM (#1272757)
      Chrome's basic spellcheck (which is the default) doesn't send stuff to Google (not that we know of so far).

      So the fix is to not enable the enhanced spellcheck.
  • (Score: 5, Funny) by Freeman on Tuesday September 20 2022, @10:01PM

    by Freeman (732) on Tuesday September 20 2022, @10:01PM (#1272643) Journal

    Microsoft and Google love to hoover your data up. I mean what if you accidentally misspelled your password (password). Who would be able to help you then?

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
  • (Score: 2) by looorg on Tuesday September 20 2022, @10:17PM (5 children)

    by looorg (578) on Tuesday September 20 2022, @10:17PM (#1272647)

    "Many people use “show password” in order to make sure they haven’t made a typo, so potentially, a lot of passwords could be at risk here."

    They do? These are the same many people that look at the keyboard as they type isn't it? Those "people".

    That said it's somewhat beyond stupid that you should spellcheck your passwords. But I guess the issue here is then that a form input box is an input box and I guess it was just to much work to separate the normal input box from the password box. Might as well just gather all the data as per usual for the "insights" it will provide.

    • (Score: 2) by legont on Tuesday September 20 2022, @10:35PM (2 children)

      by legont (4179) on Tuesday September 20 2022, @10:35PM (#1272651)

      There have been definitely a password box in all of them ever since I first touched html. I have not done it for awhile, but my Firefox sometimes ignores the setting. I suspect it happens when I have too many tabs and it runs out of space. Yes, Firefox, not Chrome. Anyway, my financial activities happen only in a dedicated VM and only after a fresh reboot.

      --
      "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
      • (Score: 2) by looorg on Tuesday September 20 2022, @11:09PM (1 child)

        by looorg (578) on Tuesday September 20 2022, @11:09PM (#1272660)

        It's been a long time since I wrote any forms in html and such but I had an inkling at the back of my mind that they were separate input types for the different boxes, that said I think the password input just makes the input in the box *:s. It does not as far as I can recall provide any actual different security beyond that. But I could be wrong on that one.
        So if you want to show passwords, since most people apparently do that according to the article, I guess you just change the input type away from password to text if you want to show the input or you use some other CSS shenanigans or something to replace them with normal text input boxes. I guess nothing stops you from using a normal text input box for your passwords. But you probably shouldn't. But still it shouldn't be to hard to differentiate between the various box input types and if it is password then you shouldn't spellcheck it.

        • (Score: 3, Informative) by coolgopher on Wednesday September 21 2022, @12:17AM

          by coolgopher (1157) on Wednesday September 21 2022, @12:17AM (#1272666)

          You're on the money with the showing password in html - it's just changing the "type" property on the input field.

          <input type="password"/>

          becomes

          <input type="text"/>

          The browser would need to start maintaining some form of "password taint" flag on each input node, and prevent any field that's ever had the type "password" from being spellchecked. Doable, but certainly a bit of a pain. I don't get why you wouldn't just do the spellchecking locally in the first place. Oh wait, data harvesting, I forgot - my bad. Sigh.

    • (Score: 4, Insightful) by helel on Wednesday September 21 2022, @03:37AM (1 child)

      by helel (2949) on Wednesday September 21 2022, @03:37AM (#1272684)

      On the computer it's easy enough to just type a password in but I've found when I need to use a slab of black glass to get something done their onscreen keyboards do all kinds of auto-correction which can make it difficult to determine what is actually being typed without being able to see it. This is the reason, I suspect, that password boxes have an option to show contends now-a-days.

      • (Score: 1, Insightful) by Anonymous Coward on Wednesday September 21 2022, @11:47AM

        by Anonymous Coward on Wednesday September 21 2022, @11:47AM (#1272730)

        I find if I'm using an annoying keyboard such as a touch screen or butterfly one, I have to have "show password" turned on for any reasonably complicated password. It is just way too easy to hit the wrong key on those stupid keyboards that register clicks with very little input effort.

  • (Score: 3, Informative) by RamiK on Tuesday September 20 2022, @10:51PM (2 children)

    by RamiK (1813) on Tuesday September 20 2022, @10:51PM (#1272657)

    Everyone knows cloud-based spellcheckers record your keystrokes and transmit it back home. At the very least, it came up in discussions back in 2016 over the SwiftKey emails auto-complete: https://www.theregister.com/2016/07/29/swiftkey_denies_keyboard_app_security_flaw/ [theregister.com]

    --
    compiling...
    • (Score: 2) by maxwell demon on Wednesday September 21 2022, @10:54AM (1 child)

      by maxwell demon (1608) on Wednesday September 21 2022, @10:54AM (#1272719) Journal

      But I wouldn't have expected the browser to employ a cloud-based spell checker.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 3, Insightful) by RamiK on Wednesday September 21 2022, @12:47PM

        by RamiK (1813) on Wednesday September 21 2022, @12:47PM (#1272740)

        That's odd. You know they're giving you a free browser for since they make their money off selling your private usage data to advertisers. So why wouldn't you expect them to track your every keystroke? If this was some privacy oriented product I'd raise an eye brow but Chrome and Edge? I wouldn't have expected anything else from Google and Microsoft.

        --
        compiling...
  • (Score: 0) by Anonymous Coward on Wednesday September 21 2022, @12:01AM

    by Anonymous Coward on Wednesday September 21 2022, @12:01AM (#1272665)

    autocomplete="new-password" autocorrect="off" spellcheck="false"

  • (Score: 3, Interesting) by Rosco P. Coltrane on Wednesday September 21 2022, @12:46AM (5 children)

    by Rosco P. Coltrane (4757) on Wednesday September 21 2022, @12:46AM (#1272670)

    because pointing this out invariably nets whoever says it the hatred of just about everybody on any forum for some reason. But...

    I haven't run into this issue ever because I learned how to spell properly at school and I don't need a spellchecker. On the infrequent times I have a doubt, I look up the word in a dictionary.

    And now I wait for the -1: Troll and the grammar nazi comments. But like it or not, grammar and orthography used to be a valuable skill taught in schools in the past.

    • (Score: 4, Informative) by Reziac on Wednesday September 21 2022, @02:23AM

      by Reziac (2489) on Wednesday September 21 2022, @02:23AM (#1272679) Homepage

      I don't use it as a spellchecker (similarly, Spelling was still a Class when I was in school); I use it as a typo-catcher. (Typoes seem to be keyboard-dependent. My fingers do not like chiclets nor the tish-smaller that seem to be common nowadays.)

      --
      And there is no Alkibiades to come back and save us from ourselves.
    • (Score: 4, Interesting) by stretch611 on Wednesday September 21 2022, @06:38AM (3 children)

      by stretch611 (6199) on Wednesday September 21 2022, @06:38AM (#1272698)

      I haven't run into this issue ever because I learned how to spell properly at school and I don't need a spellchecker.

      I learned how to spell in school as well... (I also learned how to due most math without a calculator/computer as well.) I can spell 99.9% of the words that I use while writing... But, I pity dyslexics...

      But, while I am not dyslexic, I do have an odd issue when typing... I regularly screw up homophones. I do not know if that is common or if it is an actual recognized condition. But I will type no/know, through/threw, too/two/to, knew/new... etc. I will know which one that I mean in my head while typing, but I will still type the wrong one. Its funny... I will "know" which one I am thinking of; I will "know" the correct meaning of the word in question; but then I will type "no".

      Plus, a spell check will not find the error because my mistake is a valid word. (A grammar check *should* find it, but I never use one of those.)

      --
      Now with 5 covid vaccine shots/boosters altering my DNA :P
      • (Score: 2) by stretch611 on Wednesday September 21 2022, @06:46PM

        by stretch611 (6199) on Wednesday September 21 2022, @06:46PM (#1272838)

        I also learned how to due most math without a calculator/computer as well.

        This example was unintentional. I realize it should have been do.

        --
        Now with 5 covid vaccine shots/boosters altering my DNA :P
      • (Score: 2) by Reziac on Thursday September 22 2022, @12:51AM

        by Reziac (2489) on Thursday September 22 2022, @12:51AM (#1272922) Homepage

        I think I-know-better-really-I-do homophones happen because finger reflexes get ahead of your brain, and fingers don't differentiate.

        Mine sometimes make up their own, frex typing one instead of won progressed to typing not won't, but one't !!

        My fingers will also mix letters around (sometimes across more than one word) so all the correct letters are there, but not in the normal order.

        I am likewise not dyslexic. Usually I catch and correct these as they go by, but the fingers still do 'em.

        Odd thought: maybe typing uses the same brain circuitry as the stuff we jump over instead of "showing your work".

        --
        And there is no Alkibiades to come back and save us from ourselves.
      • (Score: 0) by Anonymous Coward on Thursday September 22 2022, @02:13AM

        by Anonymous Coward on Thursday September 22 2022, @02:13AM (#1272934)

        > ... I regularly screw up homophones.

        My problem is messing up two letter words that share one letter -- of/on, if/in, at/it, etc. Anyone know if there is a name for this problem?

        I first noticed it during the editing process of a ~900 reference/text book, about 30 years ago (MS-DOS/ascii wordprocessor). My brute force solution was to keep a small file with all these pairs (the mistakes could go either way) and I spent considerable time running through all the text with search & conditional-replace for each of the short words. Caught dozens of them...but sadly not all, every now and then someone spots one and they are kind enough to let me know.

  • (Score: 4, Insightful) by drussell on Wednesday September 21 2022, @01:38PM (1 child)

    by drussell (2678) on Wednesday September 21 2022, @01:38PM (#1272753) Journal

    There have been usable spell checkers running entirely on local computing devices since the 8-bit days.

    Why the everliving fuck would it be necessary to send things "to the cloud" for spell checking. That is absurd!

    (Of course, we all know the answer. It is a convenient way of snarfing information about what you're up to!)

    • (Score: 2) by DannyB on Wednesday September 21 2022, @02:36PM

      by DannyB (5839) Subscriber Badge on Wednesday September 21 2022, @02:36PM (#1272775) Journal

      Because the cloud is secure!

      And, um, other reasons.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
(1)