A JavaScript security company found that sensitive information entered into the forms of Chrome and Edge browsers is sent respective companyโs server if the advanced spellcheck feature is enabled.
Itโs the Enhanced Spell Checker in Chrome and Microsoft Editor in Edge browser that collects the data and transmits it back to the respective companyโs server. Data include all sensitive information, including the passwords entered in login forms. Although thereโs a way to disable this.
Sucking Passwords With Spellcheck On
Google with its Chrome and Microsoft with its Edge are the two more prominent browsers we have today, serving most of the web requests daily. While theyโre known to be owning some of our data for ads, itโs intriguing to learn that they can suck more sensitive data โ including the passwords โ when the advanced spellcheck feature is on.
As per Josh Summitt, co-founder & CTO of JavaScript security firm otto-js, who discovered this issue, the data sucked up by Google or Microsoft depends on the website youโre visiting in, and most importantly โ it happens only when the Microsoft Editor in Edge or Enhanced Spell Checker in Chrome is on.
Though Chrome and Edge provide basic spellcheck support โ which doesnโt collect any data, itโs the advanced spellcheck features that suck the data enterer in the forms of browsers. Users turn these features on to correct their spelling mistakes and be more understandable.
Based on the otto-js report, the data taken in this process include all types of PII, including but not limited to Social Security Numbers (SSNs), names, addresses, email, date of birth (DOB), contact information, bank and payment information, and so on โ depending on the website.
And in the case when the user enables โshow passwordโ โ to make sure heโs entering the right one โ the browser sucks in the entered password too to its server. Though all this data is transmitted through an HTTPS pipeline, itโs unknown how well the data is protected at Googleโs or Microsoftโs servers.
Summit has explained this behavior with the example of the user entering credentials on Alibabaโs Cloud and finding the data entered sent to googleapis.com. Well, Google defended this by saying that โThe Enhanced spell check feature requires an opt-in from the user,โ to BleepingComputer, which is true, as it explicitly mentions to be collecting data when the Enhanced Spell Checker is on.
Although, thereโs a workaround. Users can turn this behavior off even with advanced spellcheck on. All you need to do is to copy-paste the following link in your address bar and set the choose option to FALSE โ like โspellcheck=falseโ.
chrome://settings/?search=Enhanced+Spell+Check
AWS and LastPass have mitigated this behavior by setting the command to false from their end, while other major websites are yet to act on it.