The extensive spell-checking features in the Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and, in some cases, passwords, to Google and Microsoft, respectively.
While this may be a known and intended feature of these web browsers, it raises concerns about what happens to the data after transmission and how secure the experience will be, especially when it comes to password fields.
Both Chrome and Edge have basic spell checkers enabled. However, features such as Chrome’s Enhanced Spell Checker or Microsoft Editor present this potential privacy risk when manually enabled by the user.
Spell-jacking: This is your spell-checking sending PII to Big Tech
When using major web browsers such as Chrome and Edge, when enhanced spell-checking features are enabled, your form data is transmitted to Google and Microsoft, respectively.
Depending on the website you visit, the form information itself may include PII, including, but not limited to, Social Security Numbers (SSN)/Social Insurance Numbers (SIN), name, address, email, date of birth (DOB). , contact information, bank and payment information, etc.
Josh Summitt, co-founder and CTO of JavaScript security firm otto-js, discovered the problem while testing his company’s script behavior detection.
When Chrome Enhanced Spell Check or Edge’s Microsoft Editor (spell checker) was enabled, “basically everything” entered into those browsers’ form fields was transmitted to Google and Microsoft.
“Additionally, if you click the ‘show password’ button, the improved spell checker even sends your password, essentially Spell-checking your data,” explains otto-js. blog post.
“Some of the world’s largest websites are exposing Google and Microsoft to sending sensitive user PII, including usernames, emails and passwords, when users log in or fill out forms. An even more significant concern for companies is this exposure. information to internal assets such as databases and cloud infrastructure to the company’s enterprise credentials.”
Users can often rely on the “show password” option, for example, on sites that don’t allow copy-pasting of passwords, or when they suspect they’ve mistyped a password.
To demonstrate, otto-js shared an example of a user entering credentials to Alibaba’ Cloud platform in the Chrome web browser, although any website could be used for this demonstration.
When advanced spell checking is enabled and assuming the user taps “show password”, form fields including username and password are transmitted to Google at this address. googleapis.com.
The company also shared a video demonstration:
BleepingComputer also observed credentials being passed to Google in our tests using Chrome to visit key sites:
- CNN — both username and password when using ‘show password’
- Facebook.com — both username and password when using ‘show password’
- SSA.gov (Social Security Access) — username field only
- Bank of America—username field only
- Verizon – username field only
Simple HTML solution: ‘spellcheck=false’
Although the transmission of form fields is done securely over HTTPS, it may not be immediately clear what happens to the user data once it reaches the third-party Google server in this example.
“The Improved spell check feature requires user opt-in,” a Google spokesperson confirmed to BleepingComputer. Note that this is different from Chrome’s basic spell checker, which is enabled by default and does not transmit data to Google.
To check if Advanced spell check is enabled in your Chrome browser, copy and paste the link below into your address bar. You can then choose to turn it on or off:
chrome://settings/?search=Enhanced+Spell+Check
As you can see from the screenshot, the feature description clearly states that when Advanced spell check is enabled, “the text you type in the browser is sent to Google.”
“User-typed text can be sensitive personal information, and Google does not attach it to any user identification and only processes it temporarily on the server. To further ensure user privacy, we will proactively exclude passwords from spell-checking.” Google continued in a statement shared with us.
“We value cooperation with the security community, and we are always looking for ways to better protect user privacy and sensitive information.”
When it comes to Edge, Microsoft Editor is the Spelling and Grammar Checker browser add-on must be explicitly set for this behavior to occur.
BleepingComputer contacted Microsoft before publishing. We were told that the issue is being looked into, but we have yet to receive an answer.
otto-js called the attack vector “Spell-jacking” and expressed concern for users of cloud services such as Office 365, Alibaba Cloud, Google Cloud – Secret Manager, Amazon AWS – Secrets Manager and LastPass.
Reacting to Otto-js’ report, both AWS and LastPass mitigated the problem. In the case of LastPass, the solution was achieved by adding a simple HTML attribute spellcheck = “false” to the password field:
“spell check” is an HTML attribute when form text is outside of input fields is usually assumed to be true by web browsers by default. Input field with explicit “spell check”. lie will not be processed through the web browser’s spell checker.
“Companies can reduce the risk of their customers sharing PII – by adding ‘spellcheck=false’ to all login fields, which can cause problems for users,” otto-js explains, citing the fact that users will no longer be able to do so. run the entered text through the spell checker.
“Alternatively, you can only add it to form fields that contain sensitive information. Companies can also remove the ‘show password’ option. This won’t prevent misspellings, but it will prevent user passwords from being sent.”
Unfortunately, we noticed that the login form that comes with Twitter’s “show password” option has the password field’s “spell check” HTML attribute explicitly set to true:
As an added safeguard, Chrome and Edge users can disable Advanced Spelling (by following the steps above) or Remove the Microsoft Editor add-on from Edge until both companies revised their enhanced spell checkers to exclude processing of sensitive fields such as passwords.
