Leaking Passwords through the Spellchecker
Sometimes browser spellcheckers leak passwords:
When using major web browsers like Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, should enhanced spellcheck features be enabled.
Depending on the website you visit, the form data may itself include PII—including but not limited to Social Security Numbers (SSNs)/Social Insurance Numbers (SINs), name, address, email, date of birth (DOB), contact information, bank and payment information, and so on.
The solution is to only use the spellchecker options that keep the data on your computer—and don’t send it into the cloud.
Clark Gaylord • September 26, 2022 7:00 AM
Sure, but there’s also no question that these tools benefit dramatically from having data from the endpoint systems. It is easy enough to filter things that look like dob, ssn. We use these filters in reverse to find data (eg Identity Finder). Of course there’s the problem of where this happens (server side, client side) how trusted the code is in doing this, etc.