Google, Microsoft can get your passwords via web browser's spellcheck (opens in new tab)

(bleepingcomputer.com)

66 pointsSN764773y ago23 comments

23 comments

20 comments · 7 top-level

t-writescode3y ago· 7 in thread

This is why I argue that TikTok is meaningfully no worse than Facebook, Google or Microsoft. They’re all collecting basically everything you put into them, keyloggers and all.

You can’t just single out one because it’s from China, imo.

mackatap3y ago

But tiktok does much more than that. They collect the name of every document on your phone and every app that you have installed.

t-writescode3y ago

They must be using exploits for that, then, since iPhone lets me know and control all my sensitive information like pictures, contacts, camera, etc!

protonbob3y ago

Wow that is crazy. Do you have a source for that for me to share by the way?

1 more reply

soulofmischief3y ago

Windows 10 does this more or less if you use it long enough without changing the recommend settings. FAANG is spyware.

adultSwim3y ago

It's wild how much various forces are trying to get me to hate China now. FUD on anything China.

soulofmischief3y ago

Chinese people are cool but the Chinese government is objectively draconian and fascist. By trading with them we are showing our tolerance for such regimes.

Remember, it won't be long before Xinpang is getting the Putin treatment over Taiwan. Except you might be surprised how much we let slide in the end.

1 more reply

Gigachad3y ago

The problem with tiktok isn’t the tech. It’s the content. They have pointed a fire hose of absolute garbage content at the population. And induced some kind of mass mental illness on people, especially kids.

wildrhythms3y ago· 2 in thread

From the article:

>The 'spellcheck' HTML attribute when left out from form text input fields is usually assumed by web browsers be true by default.

Text inputs. So what about inputs of password type?

MDN says this:

>If [the spellcheck attribute] is not set, its default value is element-type and browser-defined. This default value may also be inherited, which means that the element content will be checked for spelling errors only if its nearest ancestor has a spellcheck state of true.

https://developer.mozilla.org/en-US/docs/Web/HTML/Global_att...

So do browsers apply spellcheck="true" by implicit default to inputs with type of password?

gausswho3y ago

'This attribute is merely a hint for the browser.' Browser can do what it wants with your inputs.

thfuran3y ago

Well, sure. A browser obviously can do whatever with the inputs you give it. But what do they actually do?

caprock3y ago· 2 in thread

Is this also true for Grammarly?

dixie_land3y ago

All of the companies I've personally worked at ban Grammarly for that reason. Some enforce it better (managed policies) than others (a wiki page no one bothers to check)

adultSwim3y ago

Huge issue for CoPilot too.

enviclash3y ago· 2 in thread

I find this outrageous. It also applies to the text of all of my employer' emails (at least those managed in the mentioned web browser), according to a prompt (with no option to reject, IIRC) I read the other day.

Edit: sorry I should have captured that prompt! I am not able to remember what it said, it might have been from the company rather than the browser.

cmeacham983y ago

> It also applies to the text of all of my employer' emails

Yeah I'm going to need a source on that one, as far as I know spellcheck only sends individual words not entire emails.

enviclash3y ago

Thanks for improving my knowledge on how spellcheck works. Still, should I assume that a list of words cannot be kept? It sound to me like a naive assumption in the current landscape.

1 more reply

haburka3y ago

Worthless clickbait - both of these processes that send to external servers are opt in and very clear that it is doing what it’s doing. Also, no big company would intentionally try to store and use your passwords against you. They have no incentive to do this. This is security theater.

3qz3y ago

This is also sending your credit card information btw

blondin3y ago

can we assume that the problem only happens when actually typing and not if you pasted sensitive text in the fields?

j / k navigate · click thread line to collapse

23 comments

20 comments · 7 top-level

t-writescode3y ago· 7 in thread

This is why I argue that TikTok is meaningfully no worse than Facebook, Google or Microsoft. They’re all collecting basically everything you put into them, keyloggers and all.

You can’t just single out one because it’s from China, imo.

mackatap3y ago

But tiktok does much more than that. They collect the name of every document on your phone and every app that you have installed.

t-writescode3y ago

They must be using exploits for that, then, since iPhone lets me know and control all my sensitive information like pictures, contacts, camera, etc!

protonbob3y ago

Wow that is crazy. Do you have a source for that for me to share by the way?

1 more reply

soulofmischief3y ago

Windows 10 does this more or less if you use it long enough without changing the recommend settings. FAANG is spyware.

adultSwim3y ago

It's wild how much various forces are trying to get me to hate China now. FUD on anything China.

soulofmischief3y ago

Chinese people are cool but the Chinese government is objectively draconian and fascist. By trading with them we are showing our tolerance for such regimes.

Remember, it won't be long before Xinpang is getting the Putin treatment over Taiwan. Except you might be surprised how much we let slide in the end.

1 more reply

Gigachad3y ago

wildrhythms3y ago· 2 in thread

From the article:

>The 'spellcheck' HTML attribute when left out from form text input fields is usually assumed by web browsers be true by default.

Text inputs. So what about inputs of password type?

MDN says this:

https://developer.mozilla.org/en-US/docs/Web/HTML/Global_att...

So do browsers apply spellcheck="true" by implicit default to inputs with type of password?

gausswho3y ago

'This attribute is merely a hint for the browser.' Browser can do what it wants with your inputs.

thfuran3y ago

Well, sure. A browser obviously can do whatever with the inputs you give it. But what do they actually do?

caprock3y ago· 2 in thread

Is this also true for Grammarly?

dixie_land3y ago

All of the companies I've personally worked at ban Grammarly for that reason. Some enforce it better (managed policies) than others (a wiki page no one bothers to check)

adultSwim3y ago

Huge issue for CoPilot too.

enviclash3y ago· 2 in thread

Edit: sorry I should have captured that prompt! I am not able to remember what it said, it might have been from the company rather than the browser.

cmeacham983y ago

> It also applies to the text of all of my employer' emails

Yeah I'm going to need a source on that one, as far as I know spellcheck only sends individual words not entire emails.

enviclash3y ago

Thanks for improving my knowledge on how spellcheck works. Still, should I assume that a list of words cannot be kept? It sound to me like a naive assumption in the current landscape.

1 more reply

haburka3y ago

3qz3y ago

This is also sending your credit card information btw

blondin3y ago

can we assume that the problem only happens when actually typing and not if you pasted sensitive text in the fields?

j / k navigate · click thread line to collapse