• World CyberCon India
Firewall Daily

Enhanced Spell Check Could Give Away Passwords to Third-Party

Once enabled, the enhanced spell check feature exposes user's personal identifiable information (PII) and passwords.

Enhanced Spell Check Could Give Away Passwords to Third-Party
  • PublishedSeptember 20, 2022

The enhanced spell check feature on Google Chrome and Microsoft’s Editor can send passwords and login data, among other details to their respective servers. Not to be confused with the regular spellchecker tools, this feature requires explicit permissions wherein the user is required to opt-in for the spell check to be turned on or off. In the case of Microsoft Editor, the feature is offered as an add-on that provides advanced writing assistance with grammar-check and other writing tools. Once enabled, it captures credentials and details not just from one but from all the websites a user visits.

What data is collected via this feature

Not just passwords, details like username, email, date of birth, and social security number, among other field data, are exposed when these tools are enabled. As per sources, this feature sends details when a user clicks on the ‘show password’ option to view the password they have entered. Social Insurance Numbers (SINs) and bank payment details have also been exposed due to this feature.

Josh Summitt, the co-founder and CTO of JavaScript security firm otto-js discovered the issue while testing the script behavior detection in his company. The company’s blog post revealed how several global websites send their details to Google and Microsoft, which raises a question about the security of the entire internal databases and cloud infrastructure.

“If ‘show password’ is enabled, the feature even sends your password to their 3rd-party servers. While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What’s concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background,” Summitt stated in the blog.

Out of 30 control group websites tested by otto-js, 96.7% sent data to Google and Microsoft. The website categories included online banking, cloud office tools, healthcare, government, social media and eCommerce. Adult website content was also targeted with some data and PII sent to Google and Microsoft.

How to fix this issue

It has a simple fix at the coding level by adding “spellcheck=false” to all input fields containing sensitive data. Removing the show password option also prevents passwords from being sent to a third party. Furthermore, disabling the enhanced spell check feature and add-ons can help mitigate the issue. Users can disable these features individually by checking their settings on their browsers.

Written By
Vishwa Pandagle

Vishwa Pandagle is a Technical Writer at The Cyber Express. She writes about cybersecurity-related news like data breaches, ransomware attacks, phishing attacks, etc. She also writes about ongoing cybersecurity-related developments and best practices. When not working, she likes self-reflecting, meditating, volunteering and going for long walks.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.