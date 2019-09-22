from the yore-sew-rite! dept.
Your data may be in danger if you use a spellchecker:
If you like to be thorough and use an advanced spellchecker, we have some bad news — your personal information could be in danger.
Using the extended spellcheck in Google Chrome and Microsoft Edge transmits everything you input in order for it to be checked. Unfortunately, this includes information that should be strictly encrypted, such as passwords.
This issue, first reported by JavaScript security firm otto-js, was discovered accidentally while the company was testing its script behaviors detection. Josh Summitt, co-founder and CTO of otto-js, explains that pretty much everything you enter in form fields with advanced spellchecker enabled is later transmitted to Google and Microsoft.
“If you click on ‘show password,’ the enhanced spellcheck even sends your password, essentially spell-jacking your data,” said otto-js in its report. “Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII [personally identifiable information], including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company’s enterprise credentials to internal assets like databases and cloud infrastructure.”
Many people use “show password” in order to make sure they haven’t made a typo, so potentially, a lot of passwords could be at risk here. Bleeping Computer tested this further and found that entering your username and password on CNN and Facebook sent the data to Google, while SSA.gov, Bank of America, and Verizon only sent the usernames.
[...] If you’d rather not have your personal data transmitted to Microsoft and Google, you should stop using the advanced spellchecker for the time being. This means disabling the feature in your Chrome settings. Simply copy and paste this into your browser’s address bar: chrome://settings/?search=Enhanced+Spell+Check.
For Microsoft Edge, the advanced spellchecker comes in the form of a browser add-on, so simply right-click the icon of that extension in your browser and then tap on Remove from Microsoft Edge.
(Score: 0) by Anonymous Coward on Tuesday September 20, @09:36PM
(Score: 3, Insightful) by kreuzfeld on Tuesday September 20, @09:36PM
Haven't run into this on Firefox, thank goodness. And for normal spell-checking, good old M-x ispell is still doing the trick for me.
(Score: 1, Insightful) by Anonymous Coward on Tuesday September 20, @09:58PM
It's been a long time since I've done anything with web pages. If the text input form doesn't have a "nospellcheck" characteristic, it should. Otherwise, maybe there's some more elaborate JavaScript method to intercept all the input to the form on the page and *only* send it as encrypted text to the appropriate server. Sometimes people look down on web developers, but it can certainly take a lot of pluck to navigate your way through that morass of junk that was never really meant to deliver application in the first place, and has been hacked over the years to deliver them, and the you're trying to deliver them securely? No envy.
(Score: 2) by Freeman on Tuesday September 20, @10:01PM
Microsoft and Google love to hoover your data up. I mean what if you accidentally misspelled your password (password). Who would be able to help you then?

(Score: 2) by looorg on Tuesday September 20, @10:17PM
"Many people use “show password” in order to make sure they haven’t made a typo, so potentially, a lot of passwords could be at risk here."
They do? These are the same many people that look at the keyboard as they type isn't it? Those "people".
That said it's somewhat beyond stupid that you should spellcheck your passwords. But I guess the issue here is then that a form input box is an input box and I guess it was just to much work to separate the normal input box from the password box. Might as well just gather all the data as per usual for the "insights" it will provide.