Browser Spell Checkers from Google and Microsoft May Lead to PII Theft

Through the Looking Glass: On Friday, the otto-js research team published an article that explores how users using Google Chrome or the advanced spelling features of Microsoft Edge can unknowingly transmit passwords and personal information (PII) to third-party cloud servers. The vulnerability not only puts the average end user’s personal information at risk, but can also make organizational administrative credentials and other infrastructure-related information available to unauthorized parties.

The vulnerability was discovered co-founder and chief technical officer of otto-js (CTO) Josh Summit when testing the company’s ability to detect the behavior of scripts. During testing, Summit and the otto-js team found that the right combination of features in Chrome Improved spell check or Edge MS Editor will inadvertently disclose field data containing PII and other sensitive information by sending it back to Microsoft and Google servers. Both features require users to take explicit action to enable them, and once enabled, users are often unaware that their data is being shared with third parties.

In addition to field data, Otto-JS The team also found that user passwords could be exposed through see password option. Designed to help users ensure that passwords are not mistyped, the setting inadvertently exposes the password to third-party servers using advanced spell checking features.

Individual users are not the only parties at risk. The vulnerability could allow enterprise credentials to be compromised by unauthorized third parties. The otto-js team has provided the following examples to show how users logging into cloud services and infrastructure accounts can receive credentials to access their accounts, which are unknowingly passed to Microsoft or Google servers.

The first image (above) is an example of an Alibaba Clout account login. When you sign in with Chrome, the Enhanced Spelling feature passes request information to Google’s servers without administrator authorization. As seen in the screenshot below, this request information includes the actual password that is entered to log into the company’s cloud. Access to this type of information can lead to anything from the theft of corporate and customer data to the complete compromise of critical infrastructure.

The otto-js team tested and analyzed control groups in social media, office tools, healthcare, government, e-commerce, and banking/financial services. Over 96% of the 30 control groups tested sent data back to Microsoft and Google. 73% of sites and groups tested sent passwords to third party servers when Show password option has been selected. Those sites and services that didn’t do that were the ones that just didn’t have enough Show password function and are not necessarily properly mitigated.

The otto-js team turned to Microsoft 365, Alibaba Cloud, Google cloud, AMSas well as LastPass, which represent the top five sites and cloud service providers that pose the greatest risk to their enterprise customers. According to updates from the security company, both AWS and LastPass have already responded and indicated that the issue has been successfully fixed.

Title: Magnifying glass agency Olloweb; vulnerability screenshots from otto-js.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button