If you’re using Edge and Chrome’s enhanced spell-checking features, it’s time to give them up, as a new report shows that the feature can actually send your form data to the tech giants that own the aforementioned browsers.
When activated, these features can send data to Microsoft and Google. The information sent depends on the forms you fill out on a particular website, which means the more information you share and the more form fields you fill out, the more data you might send to these companies when you activate Enhanced Spell Check. The website you are visiting may ask you to provide personally identifiable information (PII) like your full name, home address, email address, social security number, passport number, driver’s license number, credit card number, date of birth, etc. To make matters worse, your passwords could also be sent to Microsoft and Google, according to the otto-js research team, calling the process “spell-checking.”
Spell-checking can happen on all websites, as long as you are using Edge and Chrome and have their enhanced spell-checking feature. To demonstrate this, otto-js shared how it happened when they used employee credentials (specifically passwords) to log into the company’s Alibaba Cloud account, which was later sent to Google. Additionally, otto-js shared a video demo to show how spell-checking exposes a company’s cloud infrastructure — including servers, databases, company email accounts, and password managers.
This video uses a common workplace scenario to show how easy it is to enable browser-enhanced spell checking and how employees can unknowingly expose the company,” otto-js added, “Most CISOs Shocked to learn that their company’s management credentials were unknowingly shared in plaintext with a third party, even a third party they generally trust. “
In addition to keeping Chrome’s enhanced spellcheck feature and Edge’s Microsoft Editor spelling and grammar checker browser plugin untouched and disabled, otto-js says the company can prevent spell-checking issues by adding “spellcheck=false”.
Otto-js advises: “Companies can mitigate the risk of sharing customer PII – by adding ‘spellcheck=false’ to all input fields, although this may cause problems for users. Or you can add it only for sensitive data form fields. Companies can also remove the ‘show password’ feature. This won’t prevent spell-checking, but it will prevent user passwords from being sent. Companies can also use client-side security software like otto-js to monitor and control page Three-party script.”
The security firm said it doesn’t yet know whether data transmitted to Microsoft and Google is being stored or how it is managed. Microsoft still hasn’t commented on this, but a Google spokesperson told BleepingComputer — “Google doesn’t attach it to any user identity, it’s just a temporary process on the server.”