When using Chrome and MS Edge, you can allow information about specific form/field data (including PII) to be sent to third parties.
Enhanced Spellcheck in browsers such as Chrome and MS Editor in Microsoft Edge address a variety of spelling errors, but experts look down on the new feature because it seems to transmit sensitive information to third parties.
otto-js, a JavaScript security company, found that these extended spell check features can come at the cost of user privacy. Both can send form/field data, including personally identifiable information (PII), to Google and Microsoft. However, they also present a risk of spell-jacking, i.e., exposure of credentials if users click on view password.
Because users need to enable the extended and not the basic spell check in order for this to work, they’ll need to turn on that option. In extreme cases, their personal information could be exposed if they don’t use it appropriately.
Otto-JS set out to detect script behaviors in their own proprietary browser, but they discovered a security flaw during the process. Josh, the co-founder and CTO at Otto-JS said that, “What’s concerning is how easy it is to enable these features”, and most users will likely get lazy and turn these features on without really realizing what’s happening in the background.
A recent study found that 96.7% of websites tested were letting in their users’ personal data through the addresses bar when Enhanced Spellcheck is enabled in Google Chrome or Microsoft Edge. Additionally, 73% of the websites were sending passwords to Google and Microsoft without user’s knowledge.
At the time of this writing, researchers have identified the top five biggest websites to look out for when it comes to cybersecurity: Office 365, Alibaba Cloud Service, Google Cloud Secret Manager, AWS Secrets Manager, and LastPass. The latter two companies have managed to mitigate against these issues as well.
It’s estimated that 75% of companies’ cloud servers may have a high chance of being compromised because credentials can be captured in the process. “One of the most interesting things about this type of exposure is that it’s caused by the unintended interaction between two features that are, in isolation, both beneficial to users,” said Walter Hoehn, VP of engineering at otto-js.
The five most popular Chrome extensions that are collecting user data discretely. Changing your settings now to eliminate these intrusive tools.
A company from AWS showcased spell-jacking on their web app. By tapping show password in Chrome and Edge, it became easy for them to gain access to confidential passwords.
When conducting tests on both outside websites and in-house websites, the results revealed adult content more often than not was leaking PII. However, porn sites were relatively safer as they didn’t have the show password option enabled.
What can users do to prevent a spell-jacking on these browsers?
Some spell-checking tools that exist for Chrome need to be activated first. Luckily, in the case of Chrome, all you need to do is keep Enhanced Spell Check on by default and not install Microsoft Editor (available with Edge) as it’s not needed when speeding through websites without content.
Check to see if Enhanced Spell Check is disabled in Chrome by navigating to Settings > Language > Spell check. If it’s not disabled, make sure that the option ‘Basic Spell Check’ is selected and click ok.
Websites can mitigate this by updating their HTML code and adding the tags “spellcheck=false” or just for sensitive fields. They can also remove the ability to “show password,” which won’t stop spell-jacking but will prevent user passwords from being sent.
