September 19, 2022

Google and Microsoft can access user data via extended spellcheck features available in Google Chrome and Microsoft Edge web browsers.

Although basic spellcheckers are enabled, features that present this potential privacy risk include Chrome’s Enhanced Spellcheck or Microsoft Editor when manually enabled.

The problem was discovered by Josh Summitt, co-founder and CTO of the JavaScript security firm otto-js, after testing his company’s script behaviors detection.

According to Summitt, in cases where Chrome Enhanced Spellcheck or Edge’s Microsoft Editor (spellchecker) were enabled, “basically anything” entered into form fields of those browsers was transferred to Google and Microsoft.

Form information submitted to Google and Microsoft when using major web browsers such as Chrome and Edge include PII, address, email, date of birth, contact information, bank and payment information and others.

It remains unclear what happens to user data once it reaches third-party providers such as Google’s server. Users can, however review if enhanced spellcheck is enabled in their browser by copying and pasting the link “Chrome://settings/?search=Enhanced+Spell+Check” into their address bar.

Otto-js also gave tips on how users can protect themselves against this.

“Companies can mitigate the risk of sharing their customers’ PII – by adding ‘spellcheck=false’ to all input fields, though this could create problems for users. Alternatively, you could add it to just the form fields with sensitive data. Companies can also remove the ability to ‘show password’.’ That won’t prevent spell-jacking, but it will prevent user passwords from being sent,”otto-js explains.

The sources for this piece include an article in BleepingComputer.