An information security research team has discovered that the Chrome and Edge browsers’ spellchecking tools send passwords from various websites to Google and Microsoft,Neowin reports.
The Otto-js security analysts found the Microsoft Editor in Edge and enhanced spellcheck setting in Chrome relaying data typed into text boxes in plaintext to the companies’ servers.
These include usernames, emails, and passwords — anything typed into a text box that these features check.
Passwords are only sent when using the “Show Password” feature available on some websites to make it easier for users to ensure they didn’t mistype.
The researchers shared an image of Chrome sending the details of an Alibaba Cloud user to Google’s servers as an example.
Alibaba cloud login password being shared to google server Otto-js tested the exploit on 30 websites from various sectors and found that 96.7% of them sent the personally-identifiable information to Google and Microsoft.
After reporting the issue, Google patched some of its own websites and services included in the researchers’ test group to avoid the issue. It has not yet patched Chrome’s spellchecker, though.
Amazon Web Services and LastPass have also already rolled out updates to mitigate the issue, even though they weren’t in the test group.
Otto-js recommended that users turn the spellchecker off until Google and Microsoft patch this vulnerability.