Users might have trouble with Google Chrome and Microsoft Edge’s more advanced spell-checking tools. Researchers at otto-js found that the Enhanced Spellcheck feature in Chrome and the MS Editor feature in Edge could accidentally send sensitive information to Google and Microsoft servers.
 A company called otto-js which works on JavaScript security found that these extra features for spell check can cost users their privacy. Both Google and Microsoft can receive data from forms and fields, including information that can be used to identify a person (PII).
Worryingly, they also put users’ credentials at risk of spell-jacking if they click on “view password.” Users of Chrome and Edge have to turn on the extended spell check features, not just the basic ones. When extended spell check is turned on, PII that is at risk includes the user’s name, email address, date of birth, social security number, and anything else they type into the fields. When otto-js researchers were testing the company’s script behaviour detection, they found this security flaw.
Josh Summitt, co-founder and CTO of otto-js, said, “It’s worrying that these features are so easy to turn on and that most users will do so without knowing what’s going on in the background.” The company tested more than 50 websites in different control groups for online banking, cloud office tools, government services, social media, eCommerce, and healthcare.
Enhanced Spellcheck in Chrome and MS Editor in Edge were used to leak PII to Google and Microsoft in 96.7% of the cases. Also, about 73% of the websites that were tested sent passwords to Google and Microsoft. Researchers focused on the five biggest websites: Office 365, Alibaba Cloud Service, Google Cloud Secret Manager, AWS Secrets Manager, and LastPass.
As of this writing, the last two have made the problem less bad. The fact that credentials can be shared puts a company’s cloud infrastructure at risk.
This includes servers, databases, corporate email accounts, and password managers. Walter Hoehn, VP of engineering at otto-js, said, “One of the most interesting things about this kind of exposure is that it’s caused by an unintended interaction between two features that, on their own, are both good for users.”
The company posted a video showing how spell-jacking could be done on AWS Secrets Manager by clicking “show password” on Chrome and Edge:
Tests done on websites outside of the control groups showed that credit bureaus were leaking PII and that there was adult content on those sites. But porn sites were safer because they didn’t have the option to show passwords.
What can Chrome and Edge users do to keep from having their spelling changed?
Enhanced Spell Check is turned on by default in Chrome, but Enhanced Spell Check needs to be turned on. Microsoft Edge can be used with an add-on called Microsoft Editor. So, leaving Chrome’s Enhanced Spell Check settings at their default and not installing the Editor in Edge should stop spell-jacking. To see if Chrome’s Enhanced Spell Check is turned off, click the three dots in the top right corner of a Chrome window, then click Settings, Languages, and Spell Check. Either turn it off completely or check the box next to “Basic spell check.” But websites can fix the problem by changing the HTML code and adding “spellcheck=false” to all input fields or just the ones that are sensitive. “Companies can also get rid of the “show password” option. That won’t stop spell-jacking, but it will stop user passwords from being sent. “
