September 27, 2022
Recent research shows that Google Chrome and Microsoft Edge extended spellcheck features transmit sensitive user data to both of the web browser parent companies, including personally identifiable information (PII) and passwords.The research, conducted by co-founder and CTO of JavaScript security firm otto-js, Josh Summitt, didn’t expose a critical vulnerability. Still, it did address some concerns…

Recent research shows that Google Chrome and Microsoft Edge extended spellcheck features transmit sensitive user data to both of the web browser parent companies, including personally identifiable information (PII) and passwords.

The research, conducted by co-founder and CTO of JavaScript security firm otto-js, Josh Summitt, didn’t expose a critical vulnerability. Still, it did address some concerns regarding the safety of the transmitted data, especially user credentials. Summitt made the discovery while assessing the company’s script behavior detection. Both Chrome and Edge web browsers encompass basic spellcheckers enabled by default.

However, their advanced counterparts, which require manual activation, engage in sensitive data transmission to Microsoft and Google. Chrome’s Enhanced Spellchecker and Microsoft Editor transmit form data to the parent companies after being enabled.

The transmitted data type depends on the visited website and may include names, email addresses, bank and payment details, Social Security numbers (SSN), contact information, and Social Insurance numbers (SIN). Otto-js’s research team dubbed the attack vector spell-jacking.

“If ‘show password’ is enabled, the feature even sends your password to their 3rd-party servers,” otto-js said in a blog post. “While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What’s concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background.”

Otto-js’s research highlighted several company websites that might put customer PII at risk. According to the company’s report, some already mitigated the issue after being notified about the findings. However, the number of websites susceptible to spell-jacking is far more significant.

On Chrome, you can check if the Enhanced Spell Check feature is enabled in your browser by heading to the Languages category in the app configuration screen. Alternatively, you could copy and paste the following code into your browser address bar:

chrome://settings/?search=Enhanced+Spell+Check

At the bottom of the screen, there should be two radio buttons, allowing you to switch between the basic and enhanced versions of the feature.

Microsoft Edge users merely need to check if the Microsoft Editor: Spelling & Grammar Checker addon is installed and enabled in their browsers.

Dedicated software solutions such as Bitdefender Ultimate Securitycan help you steer clear of cyber threats and keep your personal data safe, with features like:

  • Complete real-time threat protection against worms, viruses, Trojans, ransomware, rootkits, spyware, and other cyber threats
  • Real-time fraud monitoring that helps you dodge scam attempts from shady organizations
  • SSN tracker that notifies you if an unknown address, alias, or name is associated with your SSN
  • Identity alert module that protects you against data breaches and identity theft attempts

Source