For your own good
We all use browsers everyday in our lives, to browse the internet. Safety and Privacy are two things that are hard to find these days in the internet.
Browsers like Google Chrome and Microsoft Edge, have this “Extended spellcheck feature” that can transmit form data, including personally identifiable information, to Google and Microsoft respectively.
In some cases, they include passwords too
While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data.
After transmission, one won’t know how safe the data might be, particularly when it comes to password fields.
Both Chrome and Edge ship with basic spellcheckers enabled. But, features like Chrome’s Enhanced Spellcheck or Microsoft Editor when manually enabled by the user, exhibit this potential privacy risk.
Depending on the website you visit, the form data may itself include PII—including but not limited to Social Security Numbers (SSNs)/Social Insurance Numbers (SINs), name, address, email, date of birth (DOB), contact information, bank and payment information, and so on.
Josh Summitt, co-founder & CTO of JavaScript security firm otto-js discovered this issue while testing his company’s script behaviors detection.
In cases where Chrome Enhanced Spellcheck or Edge’s Microsoft Editor (spellchecker) were enabled, “basically anything” entered in form fields of these browsers was transmitted to Google and Microsoft.
Furthermore, if you click on ‘show password,’ the enhanced spellcheck even sends your password, essentially Spell-Jacking your data
– JOSH SUMMIT, CTO OF otto-js
The official blog post for this can be found here.
Users may often rely on the “show password” option on sites where copying-pasting passwords is not allowed, for example, or when they suspect they’ve mistyped it.
To demonstrate, otto-js shared the example of a user entering credentials on Alibaba’ Cloud platform in the Chrome web browser, although any website can be used for this demonstration.
With enhanced spellcheck enabled, and assuming the user tapped “show password” feature, form fields including username and password are transmitted to Google at googleapis.com.
A video demonstration has also been shared by the company:
Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms.
An even more significant concern for companies is the exposure this presents to the company’s enterprise credentials to internal assets like databases and cloud infrastructure.
What can users do to prevent spell-jacking on Chrome and Edge?
In Chrome, spell check is enabled by default, but Enhanced Spell Check needs to be activated.
Microsoft Editor is available as an add-on for Edge. So, keeping the Chrome settings for Enhanced Spell Check to default and not installing Editor in Edge should mitigate spell-jacking.
To check if Enhanced Spell Check is disabled in Chrome, click the vertical ellipsis on the top-right corner of a Chrome window > Settings > Languages > Spell check.
Either disable it entirely or select the radio button next to ‘Basic spell check.’
However, websites can mitigate the issue by updating the HTML code and adding “spellcheck=false” to all input fields or just for sensitive ones.
If you liked this article, share it with your family and friends.
Follow our Facebook and Twitter page for more contents and news.
Author
