If you’re using Edge and Chrome’s enhanced spell-checking features, it’s time to give them up, as a new report shows that the feature can actually send your form data to the tech giants that own the aforementioned browsers.
It occurs when Chrome’s Enhanced Spell Checker and Edge’s Microsoft Editor Spelling & Grammar Checker browser plugins are manually activated by the user, according to disclosures by a JavaScript security firm called otto-js. This situation. Still, it’s worth noting that both browsers have their own basic spell checkers enabled by default, but they don’t pose a security risk because they behave differently than the enhancements.
When activated, these features can send data to Microsoft and Google. The information sent depends on the forms you fill out on a particular website, which means the more information you share and the more form fields you fill out, the more data you might send to these companies when you activate Enhanced Spell Check. The website you are visiting may ask you to provide personally identifiable information (PII) like your full name, home address, email address, social security number, passport number, driver’s license number, credit card number, date of birth, etc. To make matters worse, your passwords could also be sent to Microsoft and Google, according to the otto-js research team, calling the process “spell-checking.”
“If ‘Show Password’ is enabled, the feature will even send your password to their third-party server,” shared Josh Summitt, co-founder and CTO of otto JavaScript Security, when testing the company’s script behavior detection “While researching data leaks across different browsers, we discovered a combination of features that, if enabled, would unnecessarily expose sensitive data to third parties such as Google and Microsoft. Concerningly, these features are very It’s easy to enable, and most users will enable these features without really realizing what’s going on in the background.”
Spell-checking can happen on all websites, as long as you are using Edge and Chrome and have their enhanced spell-checking feature. To demonstrate this, otto-js shared how it happened when they used employee credentials (specifically passwords) to log into the company’s Alibaba Cloud account, which was later sent to Google. Additionally, otto-js shared a video demo to show how spell-checking exposes a company’s cloud infrastructure — including servers, databases, company email accounts, and password managers.
This video uses a common workplace scenario to show how easy it is to enable browser-enhanced spell checking and how employees can unknowingly expose the company,” otto-js added, “Most CISOs Shocked to learn that their company’s management credentials were unknowingly shared in plaintext with a third party, even a third party they generally trust. “
The JavaScript security firm also further highlighted the names of companies and services that may be affected by the issue. It includes Alibaba — Cloud Services, Office 365, and Google Cloud — Secret Manager. AWS – Secrets Manager and LastPass were initially on the list, but otto-js says the two companies have fully mitigated the problem.
In addition to keeping Chrome’s enhanced spellcheck feature and Edge’s Microsoft Editor spelling and grammar checker browser plugin untouched and disabled, otto-js says the company can prevent spell-checking issues by adding “spellcheck=false”.
Otto-js advises: “Companies can mitigate the risk of sharing customer PII – by adding ‘spellcheck=false’ to all input fields, although this may cause problems for users. Or you can add it only for sensitive data form fields. Companies can also remove the ‘show password’ feature. This won’t prevent spell-checking, but it will prevent user passwords from being sent. Companies can also use client-side security software like otto-js to monitor and control page Three-party script.”
The security firm said it doesn’t yet know whether data transmitted to Microsoft and Google is being stored or how it is managed. Microsoft still hasn’t commented on this, but a Google spokesperson told BleepingComputer — “Google doesn’t attach it to any user identity, it’s just a temporary process on the server.”
