Be careful if you use the spell checkers of Chrome or Edge: the data entered in the text fields is transmitted in clear text to the Google and Microsoft servers… including your passwords!

Be careful if you use the spell checkers of Chrome

Be careful if you use the spell checkers of Chrome or Edge: the data entered in the text fields is transmitted in clear text to the Google and Microsoft servers… including your passwords!

Both Google and Microsoft web browsers offer an improved spell checker. If it is included directly in Chrome, it goes through an extension for the Edge browser. Practical, it allows, once activated, to reduce spelling or typing errors when entering information in a Web page, whether it is a form or an email for example.

Alas, the researchers ofOtto js, an American company specializing in the security of JavaScript (a programming language widely used on the Web) revealed the existence of a major flaw in this improved spell checker. When activated, the analysis of the texts entered in the fields provided for this purpose is not carried out locally, on the computer, but on the servers of Google and Microsoft for greater efficiency. So that all that is typed is sent in clear to the two giants of the Web. A practice that is enough to give cold sweats since all the information entered passes through it. Personal data such as names, email addresses, telephone numbers, ID numbers, dates of birth and, most worryingly, passwords.

Otto-js researchers have thus demonstrated that, after typing a sesame in the provided field, the user just has to click on the button Show password so that it is sent without any encryption on the servers of Google and Microsoft. If a pirate were to intercept the transmission, he could thus, without difficulty, seize the identifiers and passwords of any user. Otto-js researchers have dubbed this flaw Spell-Jacking. They conducted tests on around fifty Web services (online banks, cloud storage, social networks, health, etc.) and indicated that 73% of the sites tested allow passwords to pass in the clear. They strongly urge all websites to review how password entry fields are handled on their pages until the flaw is closed. Nothing prevents you from disabling the enhanced spell checker in your browser.

Enhanced spell checker is not enabled by default in Google Chrome. Nevertheless, you may have implemented it to test its effectiveness. Here’s how to turn it off.

► Open Google Chrome and click on the three superimposed points at the top right of the browser. From the pop-up menu, choose Settings.

► Click on Google and you in the left column then on Goolge Services/Synchronization in the center of the window.

37894763

► Among the options displayed, now deactivate the function Improved spell checker at the bottom of the list.

37894764

Improved remediation in the Edge browser comes through the Microsoft Editor extension that you may have installed. Until the flaw is fixed, you can deactivate the connection to your account, deactivate the extension or simply delete it.

► Open the Edge browser then click on extensions icon listed in the ribbon of icons to the right of the address field. In the pop-up menu, click Editor Microsoft.

37894765

► Microsoft Writer needs a login to your Microsoft account to work. You can then disconnect. Click on arrow pointing down to the right of your user name then on Sign out.

37894766

► You can also disable the extension. To do this, click on the toothed wheel. In the page that appears, toggle the switch Enabledplaced at the top right, in position Disabled.

37894781

► Finally, you can simply delete the extension. To do this, in the list of installed extensions, click on the three points of suspension to the right of the Microsoft Editor. From the list of options, choose Remove from Microsoft Edge.

37894799

ccn5