Google Servers Can Get Your Passwords If You Use Advanced Spell Checking in Chrome

It’s only a problem when you use ‘show password’ on sites that don’t conform to best practices

google chrome is full of useful features, like spell checking. In addition to standard spell checking, Chrome also offers “Advanced Spell Checking”. When you want to enable it, Google notes that anything you type in the browser will be sent to the company’s servers to run through advanced grammar and style algorithms. It already clarifies that you probably shouldn’t enable it when you’re concerned about data security, and an investigation has confirmed this. In some circumstances, your password and username may be sent to Google’s spell-checking servers during login processes.

ANDROIDpolice video of the day

an inquiry by auto-js (Via bleeding computer) has disclosed that the passwords you type in the login mask may be sent to Google servers when you use the “Reveal Password” feature. This is an option on many websites that makes it easier to fill in a password because it allows you to see what you’re typing in plain text. However, it also means that Chrome’s usual privacy protections don’t work because this password text can be treated as regular text meant to be spell checked. Websites can prevent this from happening by adding a “spellcheck=false” HTML attribute to the field in question, but as Bleeping Computers and Otto-JS show, this is something that many websites ignore, including Big Tech sites like Facebook. Huh.

LastPass was also one of the companies affected by this flaw. After being contacted by Otto-JS, the security company fixed the problem by introducing a “spellcheck=false” attribute to its input field.

When asked by Bleeping Computer, Google explained that enhanced spell checking is only enabled on an opt-in basis, and people are warned that this means all their input data has been sent to the server. This already limits who is affected by the problem in the first place. The company then clarified that it is aware that data can sometimes be sensitive, so the text is not associated with any user identification and is only temporarily stored and processed on Google’s servers. The company further vowed to improve its processes to exclude passwords from being actively processed.

It was also found in the investigation Microsoft Editor Browser Extension To be guilty of the same issue. This is to be expected, as the Microsoft service also relies on cloud-based processing to offer better spelling, style, and grammar checking.

Given that both Microsoft and Google are clear about the text you send to their servers, we don’t think it should surprise anyone that under the right circumstances, their passwords can be sent along with other text they type. can. It’s clear that both spell checkers shouldn’t be used if you handle confidential information regularly, because you hand over access to everything you type to a party that’s beyond your control. , even though both offer good privacy policies. It’s good that this investigation has brought to light some issues with cloud-based spell checking, but it really should be something that can be anticipated with a cloud-based spell checker.

If you are already using One of the many great password managers, even when you use Chrome’s advanced spell check or the Microsoft editor, you should be in the clear. Eventually, you’ll just copy and paste the password or use the AutoFill extension. The only thing you should be aware of here is that there are also tools that sync your clipboard across your devices. If you use any of these, your passwords may appear in places you don’t expect them to, including on some company’s servers.

Be the first to comment

Leave a Reply

Your email address will not be published.