On the other side of the mirror: On Friday, the otto-js research team published an article describing how users using the improved spelling features of Google Chrome or Microsoft Edge can unknowingly transmit words from password and personally identifiable information (PII) to third-party cloud-based servers. The vulnerability not only puts the average end user’s private information at risk, but it can also leave an organization’s administrative credentials and other infrastructure-related information exposed to unauthorized parties.
The vulnerability was discovered by Josh Summit, co-founder and chief technical officer (CTO) of otto-js, while testing the company’s script behavior detection capabilities. During testing, Summit and the otto-js team found that the right combination of features in Chrome’s enhanced spell checker or Edge’s MS editor would unintentionally expose field data containing PII and other information. sensitive, sending them back to Microsoft and Google servers. Both features require users to take explicit action to enable them, and once enabled, users are often unaware that their data is being shared with third parties.
In addition to field data, the otto-js team also discovered that user passwords could be exposed through the show password option. The option, intended to help users ensure that passwords are not mistyped, inadvertently exposes the password to third-party servers via the enhanced spell check features.
Individual users aren’t the only parties at risk. The vulnerability can cause corporate credentials to be compromised by unauthorized third parties. The otto-js team has provided the following examples to show how users logging into cloud services and infrastructure accounts can have their account access credentials unknowingly transmitted to Microsoft or Google servers.
The first image (above) is an example of Alibaba Clout account login. When connecting through Chrome, the Enhanced Spellcheck feature passes request information to Google-based servers without permission from an administrator. As shown in the screenshot below, this request information includes the actual password entered for the corporate cloud connection. Access to this type of information can lead to anything from theft of corporate and customer data to the complete compromise of critical infrastructure.
The otto-js team conducted testing and analysis in control groups focused on social media, office tools, healthcare, government, e-commerce, and banking/financial services. Over 96% of the 30 control groups tested returned data to Microsoft and Google. 73% of these sites and groups tested sent passwords to third-party servers when the show password the option has been selected. The sites and services that didn’t have one were those that simply lacked show password function and were not necessarily properly attenuated.
The otto-js team reached out to Microsoft 365, Alibaba Cloud, Google Cloud, AWS, and LastPass, which represent the top five sites and cloud service providers with the greatest exposure to risk for their enterprise customers. According to updates from the security company, AWS and LastPass have already responded and indicated that the issue has been successfully resolved.