Spell-checking leaking data on Microsoft Edge and Google Chrome
Security firm Otto JavaScript Security (Otto-js) has revealed that spell-checking features in both Microsoft Edge and Google Chrome are leaking sensitive user information to Microsoft and Google, respectively.
The issue, dubbed “spell-jacking” by Otto-js, which occurs when Microsoft Edge’s MS Editor and Chrome’s Enhanced Spellcheck are enabled on the browsers, leaks data including passwords, emails and usernames when users fill in forms on several popular websites and enterprise cloud-based apps.
In a blog post, Otto-js revealed that enterprise apps including Office 365, Alibaba, Amazon Web Services (AWS) and Google Cloud were impacted by the issue. The spell-check features were found to send data entered into form fields to both Google and Microsoft, while passwords were also found to be leaked to third-party servers from both browsers if the “show password” feature is used.
Otto-js tested over 50 websites that users visit daily or weekly and that have access to personally identifiable information (PII). 30 sites were broken into a control group of six categories (e-commerce, cloud office tools, online banking, social media, healthcare and government) with websites in each category selected based on the top ranking.
96.7 per cent of the 30 control group websites were found to send data with PII to Microsoft and Google and 73 per cent sent passwords when the “show password” feature was enabled. Several enterprise cloud-based apps were also found to send data when spell-check features were enabled when entering forms. Researchers from Otto-js said AWS and LastPass have since remedied the issue.
Researchers said there was no clear answer regarding what happens to the data sent to Google and Microsoft, whether it is stored when received, who manages its security and whether it receives the same level of security as other sensitive data.
In their blog post, Otto-js wrote that the issue raised concerns over the access tech firms such as Google and Microsoft have to sensitive user data. The company wrote: "Passwords are meant to be a secret you share with the party you intended, and no one else. A shared secret should be hashed and irreversible, but this feature violates a fundamental security principle of 'need-to-know' and could be considered a violation of privacy."
Researchers noted that enterprises can mitigate the risk by adding “spellcheck=false” in all input fields when entering forms, although they added that this may create issues for users. Otto-js also said that enterprises can prevent passwords from being sent by taking away the “show password” feature in forms.
The firm added that companies could implement endpoint security precautions that disabled enhanced spell-check features or could disable spell-check in their browsers.
