Spell-jacking on Google Chrome and Microsoft Edge
Security researchers from otto-js published a report about a spell-jacking security flaw found on Google Chrome and Microsoft Edge. Depending on the configuration of the browsers, sensitive data could be leaked to third-party services.
- CVE: N/A
- Product affected: API (Pro and CE) and the browser extension
- Version affected: every version under v3.7.3
- Version fixed: v3.7.3
- Affected component: All form inputs.
- Vulnerability Type: spell-jacking
- Severity: N/A
Google Chrome and Microsoft Edge enhanced spell-checking features send the content of (non-password) form inputs to external third-party services owned by Google and Microsoft. Consequently, these browser features break the end-to-end character of passbolt and leak sensitive users’ data to third party.
Furthermore, if a proxy is enabled at an organisation scale, this proxy will also receive this data.
For Passbolt application it means that the following data could have been leaked:
- private key
- security token
- Text in the search bar
- Passwords metadata
- Passwords secrets
- Password generators metadata
- Share password search text content
- Passwords import/export
- Keepass file password
- Groups name
- Add group user search text content
- Folders name
- Share folder search text content
- Tags name
- Edit password tags text content
- Administration settings
- MFA settings except salt and secret keys
- User directory (LDAP) settings except auth password field
- Passbolt Pro subscription key
- Organization account recovery public and private recovery key and relative settings (including passphrase)
The users who are using Google Chrome with the advanced spell-checking feature enabled and the users using Microsoft Edge with the MS Editor extension installed.
The fix consists in adding a
spellcheck="false" tag on the body tag of every page served by Passbolt API and the browser extension.
- 20/09/2022 15:30: Spell-jacking issue is discovered.
- 21/09/2022 09:00: A fix is implemented.
- 26/09/2022: Extension v3.7.3 shipping with the fix is published.
- 27/09/2022: API v3.7.3 shipping with the fix is published.
This article was last updated on September 20th, 2022.