“Show password”the option that we have in our preferred web browser to reveal the passwords of our accounts and make sure that they are written correctly, constitutes a problem for the privacy on the Internet because they send this information to the cloud servers of the responsible companies, as well as other data such as the websites we visit and what kind of texts we write.
As revealed by the cybersecurity firm Otto-JSthis spell checker represented by an eye icon that is present in browsers like Google Chrome Y Microsoft Edge sends to the cloud the credentials that users enter in the form fields of the websitesthus delivering data such as usernames, emails, dates of birth, identity documents, among others.
In this way, at the precise moment in which a user selects the option “show password” and the asterisks that are used to hide the information are converted into text, these keys also end up being sent to the servers of the companies that own the browser in question.
A bug for web browsers that we did not notice
Josh Summitco-founder and chief technology officer of the firm Otto-JSexplained how the security breach was discovered: “While investigating for data leaks across different browsers, we came across a combination of features that, once enabled, will unnecessarily expose sensitive data to third parties such as Google Y microsoft. What is worrying is how easy it is to enable these features and that most users will do so without really realizing what is happening in the background”.
Furthermore, on their website, researchers from Otto-JS showed that this can also happen when logging into platforms like office 365, AlibabaCloud, Google Cloud, AWS Secrets Manager Y LastPass, thus exposing the digital infrastructure of the companies in question. However, the last two have already taken care of correcting the error by adding an attribute ‘“spellcheck=”false”’ to code HTML of the web.
Christopher HoffDirector of Secure Technology LastPassalso gave his opinion on the matter in the firm’s investigation Otto-JS mentioning that “It is puzzling that users could inadvertently be exposing sensitive data just by enabling innocuous browser features… without understanding that anything they type, including passwords, could result in that data being sent to third parties”.
Waiting for the fix in web browsers
maggie louieco-founder of Otto-JSpointed out that this technique, baptized as “spell-jacking” It is a very serious problem to the privacy of users on web platforms. “This may not be of concern to us when we are talking about Google Y microsoftbut in the wrong hands, could a text reader or browser extension with those same features be used for purposeful surveillance?”he mentioned.
Regarding this problem, Mozilla announced last June that with the launch of its extension Firefox Translations functionality is offered “cloudless translation” to prevent data from being shared to their servers. However, there is currently no similar function for Google Chrome Y Microsoft Edgeaccording to what the research indicates.
We recommend you METADATA, RPP’s tech podcast. News, analysis, reviews, recommendations and everything you need to know about the technological world.