We suspect that to offer features as useful as the spell checker, Microsoft and Google are obliged to collect statistical data. This poses no problem as long as they are anonymized. But according to IT security company Otto-js, the enhanced spell checker, that users must activate voluntarilyand which sends the information entered in online forms to Google and Microsoft servers, exposes Internet users to the theft of personal data.
Payment methods, addresses, names, dates of birth, Social Security or passport numbers: every day, millions of users send their most personal data to the servers of Silicon Valley giants. One can imagine the consequences that the theft of all this data could have if the security flaw exposed by the improved spell checker were misused. Even the sacrosanct passwords are exposed. According to Josh Summit, Chief Technology Officer at Otto-js, if Show Password is enabled, your password is sent to their third-party servers. “What is worrying is the ease with which these features can be activated. Users will engage them without realizing what is happening”.
Improved spell checkers from Microsoft and Google flirt with illegality
Hackers knowing how to exploit these flaws could intercept communications between the user and the servers of Google or Microsoft. According to Otto-js, by storing passwords from our questionnaires, these two companies are guilty of “Spell Jacking” (password hijacking) and are illegal by violating one of the fundamental principles of computer security called “need-to-know”. If all sites are affected by this flaw, Alibaba Cloud Service, Office 365 and Google Cloud would be particularly vulnerable. Logically, public organizations and companies such as Microsoft are the preferred targets of these attacks.
The researchers demonstrated the danger of the enhanced spell checker by logging into their Alibaba Cloud Account and later proving that their password had indeed been sent to Google’s server. In a video used to support their conclusions, they explain how companies expose their infrastructures (servers, databases, passwords and others) through this seemingly innocuous feature. If the responsibility for correcting this breach therefore lies with Google and Microsoft, let’s not forget that users are the primary guarantors of the security of their personal data. It is therefore strongly recommended to do not enable Enhanced Spell Checker and always install the latest Chrome updates.
On the same topic: Microsoft Defender has become less reliable than other free antiviruses, a first
Source: BleepingComputer