Through the viewing glass: On Friday, the otto-js research team published an article explaining how users who take advantage of Google Chrome or the enhanced spell-checking features of Microsoft Edge can inadvertently transfer passwords and personally identifiable information (PII) to third-party cloud servers. The vulnerability not only puts the information of the average end-user at risk, but it can also leave enterprise administrative credentials and other infrastructure-related information vulnerable to unauthorized parties.
Weakness was Discover Written by Co-Founder and CTO of otto-js (CTO) josh peak While testing the capabilities of detecting the behavior of the company’s script. During testing, Summit and the otto-js team discovered that the right set of features in Chrome Enhanced spelling or Edge MS . Editor It will unintentionally display field data that contains personally identifiable information (PII) and other sensitive information, and send it back to Microsoft and Google servers. Both features require users to take explicit action to enable them, and once enabled, users are often unaware that their data is being shared with third parties.
In addition to field data, the JS Otto The team also discovered that user passwords may be vulnerable to exposure via Show password Selection. This option, which is intended to help users ensure that passwords are not entered incorrectly, inadvertently exposes the password to third-party servers through enhanced spell-checking functions.
Individual users are not the only parties at risk. The vulnerability could result in the corporate credentials being compromised by unauthorized third parties. The otto-js team provided the following examples to show how users who log into cloud services and infrastructure accounts can unknowingly pass their account access credentials to Microsoft or Google servers.
The first image (above) is a form to login to the Alibaba Clout account. When you sign in via Chrome, the improved spell-check functionality passes the request information to Google-based servers without permission from the administrator. As shown in the screenshot below, this order information includes the actual password that is entered to log into the company’s cloud. Access to this type of information can lead to anything from stolen company and customer data to the complete compromise of critical infrastructure.
The otto-js team conducted testing and analysis across control groups focusing on social media, office tools, healthcare, government, e-commerce, and banking/finance. More than 96% of the 30 control groups tested sent data to Microsoft and Google. 73% of those sites and groups tested passwords sent to third-party servers when a file Show password The option is selected. Those sites and services that weren’t the ones that simply lacked Show password function and not necessarily properly mitigated.
otto-js team contacted Microsoft 365And the Alibaba cloudAnd the Google CloudAnd the AWSAnd the LastPass, which represent the top five sites and cloud service providers that present the greatest exposure to risk for their corporate clients. According to the security company’s updates, both AWS and LastPass have already responded and indicated that the issue has been successfully mitigated.