2022-09-20
On the 16th of September 2022 a security researcher posted the discovery of a serious privacy issue with chrome's enhanced spellcheck and some of the largest websites in the world. The spellcheck feature in the browser could have leaked passwords and other sensitive information to various websites.
I was asked if such a lack of care about user privacy was callous on google's part. Why had this security bug not been noticed? Could they not have implemented an exception or a workaround?
We see similar incidents with implementations using various javascript frameworks.
There is also a carelessness with how development is happening in live production environments.
The recent twitter whistle-blower revelations showed just how many coders have access to live data and code at one time. [1],[2]
So you have complex systems interacting with one another with no one engineer understanding how the systems work. It's possible that the engineers involved had no idea of the vulnerability when they wrote the code. You have to understand the system fully in order to see the risk. The March testimony of Senior Facebook engineers demonstrated this lack of knowledge. [3]
So developers may not have realized they should create a workaround to bypass the password text box.
But we have some fundamental questions to ask about our platforms in general and in particular, how many of our browser functions should be handled locally, rather than up in the cloud.
Why did the spell checker need to communicate back to base in the first place? For spell checking, why weren't the dictionaries local? How many of our systems are more online connecting back to log our data, including what we type? Consumers are very used to interacting with hosted services now. We've ended up with the idea of the Networked Computer proposed by Larry Ellison in the 1990s. With our data being stored in centralized silos. [4]
We need to realise that the more information that can be collected by browsers can be used elsewhere. Sold on elsewhere.
As we see more and more knowledge-based systems (AI) being created to serve us, how our private information is collected and processed is going to increase the risk to privacy. Including our spell and grammar checkers. We need to look at the terms and services of the services we use and where our keystrokes are being logged.
There's a danger of coders using common features with very little idea of the additional functionality that may then expose sensitive data. There needs to be more investment into further investigation of these features, more to the point to investigate where the code that implements the functionality may be used elsewhere in applications.
We also need to consider how much of our social networks and cloud systems rely on a common set of tools. We already have had other incidents involving the support of FOSS software in general with very little being contributed back to projects by companies that use that code.[5]
Take for example the node.js controversy last year, where a developer unpublished his node module that was used by thousands of projects. [6]
A lot of these companies use FOSS code, but their business practices and strategy are very private. So we have very little transparency on how those systems interact with our data. Especially when you consider that Google is an ad business. In our marketplace where the right ads need to appear in front of potential impressions, there more information that can be sucked up the better.
With the current trend of DevOps continuing rather than having separate development and production environments we will see more incidents like this. The early cultures of companies like Google, Facebook, and Twitter meant that there were always going to be risks to the stability and reputation of these companies. The earlier culture of "move fast break things" doesn't just disrupt systems, it puts private information at risk.
[1]https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/risk_committee_issues.pdf
[2] https://techcrunch.com/2022/09/13/twitter-whistleblower-mudge-congress/
[3]https://theintercept.com/2022/09/07/facebook-personal-data-no-accountability/
[4] https://tedium.co/2018/04/12/larry-ellison-network-computer-history/
[5]https://xkcd.com/2347/
[6]https://www.zdnet.com/article/disgruntled-developer-breaks-thousands-of-javascript-node-js-apps/