• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Plant-based chicken startup Rebellyous Foods raises $9.5M to launch latest production tech – Startup

February 4, 2023

Startup T2 Wants to Terminate Twitter

February 4, 2023

Eight Steps An Entrepreneur Can Take To Start Repairing Their Personal Brand

February 4, 2023
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    Samsung’s One UI 5 update is largely about personalization

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Tech News»Browser-based spell check from Google and Microsoft can lead to stolen personal data
Tech News

Browser-based spell check from Google and Microsoft can lead to stolen personal data

September 18, 2022No Comments3 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Browser-based spell check from Google and Microsoft can lead to stolen personal data
Share
Facebook Twitter LinkedIn Pinterest Email

Through the looking glass: On Friday, the otto-js Research Team published an article outlining how users leveraging Google Chrome or Microsoft Edge’s enhanced spelling features may be unknowingly transmitting passwords and personally identifiable information (PII) to third-party cloud-based servers. The vulnerability not only puts the average end user’s private information at risk, but it can also leave an organization’s administrative credentials and other infrastructure-related information exposed to unauthorized parties.

The vulnerability was discovered by otto-js co-founder and Chief Technical Officer (CTO) Josh Summit while testing the company’s script behavior detection capabilities. During the testing, Summit and the otto-js team found that the right combination of features in Chrome’s enhanced spell check or Edge’s MS Editor will unintentionally expose field data containing PII and other sensitive information, sending it back to Microsoft and Google servers. Both features require users to take explicit action to enable them, and once enabled, users are often unaware that their data is being shared with third parties.

In addition to field data, the otto-js team also discovered user passwords might be subject to exposure via the view password option. The option, meant to aid users in ensuring passwords are not incorrectly keyed, inadvertently exposes the password to the third-party servers through the enhanced spell check functions.

Individual users are not the only parties at risk. The vulnerability can result in corporate organizations having their credentials compromised by unauthorized third parties. The otto-js team provided the following examples to show how users logging into cloud services and infrastructure accounts can have their account access credentials unknowingly passed to Microsoft or Google servers.

See also  SkorLife gives control of credit data back to Indonesian consumers – DailyTech

The first image (above) represents a sample Alibaba Clout Account login. When logging in via Chrome, the enhanced spell check function passes request information to Google-based servers without an administrator’s authorization. As seen in the screenshot below, this request information includes the actual password being entered for the company’s cloud login. Access to this type of information can result in anything from stolen corporate and customer data to the complete compromise of critical infrastructure.

The otto-js team conducted testing and analysis across control groups focused on social media, office tools, healthcare, government, ecommerce, and banking/financial services. More than 96% of the 30 control groups tested sent data back to Microsoft and Google. 73% of those sites and groups tested sent passwords to the third-party servers when the show password option was selected. Those sites and services that did not were the ones that simply lacked the show password function and were not necessarily properly mitigated.

The otto-js team reached out to Microsoft 365, Alibaba Cloud, Google Cloud, AWS, and LastPass, which represent the top five sites and cloud service providers presenting the greatest risk exposure to their corporate customers. According to the security company’s updates, both AWS and LastPass have already responded and indicated that the issue was successfully mitigated.

Image credit: Magnifying Glass by Agence Olloweb; vulnerability screenshots by otto-js

Source link

Browserbased Check data Google lead Microsoft personal spell stolen
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Eight Steps An Entrepreneur Can Take To Start Repairing Their Personal Brand

February 4, 2023

Whalesync, a Seattle startup syncing data between software apps, raises $1.8M – Startup

February 1, 2023

Microsoft Layoffs, Amazon Layoffs, And What’s Actually Happening In Tech

January 20, 2023

Ex-Lululemon chief joins Seattle startup; Microsoft AI ethics leader now at Google – Startup

January 17, 2023
Add A Comment

Comments are closed.

Editors Picks

CD Projekt Red already “thinking about” more Witcher games for the future

September 12, 2022

Key Bank selects BlueSnap as US gateway provider

August 9, 2022

Bitcoin is the new retirement strategy

August 21, 2022

Nvidia GeForce RTX 4090 is 78% faster than RTX 3090 Ti, hits 3.0 GHz in leaked benchmarks

September 9, 2022

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Plant-based chicken startup Rebellyous Foods raises $9.5M to launch latest production tech – Startup

Startup T2 Wants to Terminate Twitter

Eight Steps An Entrepreneur Can Take To Start Repairing Their Personal Brand

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2023 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.