The enhanced spell check feature on Google Chrome and Microsoft’s Editor can send passwords and login data, among other details to their respective servers. Not to be confused with the regular spellchecker tools, this feature requires explicit permissions wherein the user is required to opt-in for the spell check to be turned on or off. In the case of Microsoft Editor, the feature is offered as an add-on that provides advanced writing assistance with grammar-check and other writing tools. Once enabled, it captures credentials and details not just from one but from all the websites a user visits.
What data is collected via this feature
Not just passwords, details like username, email, date of birth, and social security number, among other field data, are exposed when these tools are enabled. As per sources, this feature sends details when a user clicks on the ‘show password’ option to view the password they have entered. Social Insurance Numbers (SINs) and bank payment details have also been exposed due to this feature.
Josh Summitt, the co-founder and CTO of JavaScript security firm otto-js discovered the issue while testing the script behavior detection in his company. The company’s blog post revealed how several global websites send their details to Google and Microsoft, which raises a question about the security of the entire internal databases and cloud infrastructure.
“If ‘show password’ is enabled, the feature even sends your password to their 3rd-party servers. While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What’s concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background,” Summitt stated in the blog.
Out of 30 control group websites tested by otto-js, 96.7% sent data to Google and Microsoft. The website categories included online banking, cloud office tools, healthcare, government, social media and eCommerce. Adult website content was also targeted with some data and PII sent to Google and Microsoft.
How to fix this issue
It has a simple fix at the coding level by adding “spellcheck=false” to all input fields containing sensitive data. Removing the show password option also prevents passwords from being sent to a third party. Furthermore, disabling the enhanced spell check feature and add-ons can help mitigate the issue. Users can disable these features individually by checking their settings on their browsers.
