Google and Microsoft Can Access User Data Via Extended Spellcheck Features

Share post:

Google and Microsoft can access user data via extended spellcheck features available in Google Chrome and Microsoft Edge web browsers.

Although basic spellcheckers are enabled, features that present this potential privacy risk include Chrome’s Enhanced Spellcheck or Microsoft Editor when manually enabled.

The problem was discovered by Josh Summitt, co-founder and CTO of the JavaScript security firm otto-js, after testing his company’s script behaviors detection.

According to Summitt, in cases where Chrome Enhanced Spellcheck or Edge’s Microsoft Editor (spellchecker) were enabled, “basically anything” entered into form fields of those browsers was transferred to Google and Microsoft.

Form information submitted to Google and Microsoft when using major web browsers such as Chrome and Edge include PII, address, email, date of birth, contact information, bank and payment information and others.

It remains unclear what happens to user data once it reaches third-party providers such as Google’s server. Users can, however review if enhanced spellcheck is enabled in their browser by copying and pasting the link “Chrome://settings/?search=Enhanced+Spell+Check” into their address bar.

Otto-js also gave tips on how users can protect themselves against this.

“Companies can mitigate the risk of sharing their customers’ PII – by adding ‘spellcheck=false’ to all input fields, though this could create problems for users. Alternatively, you could add it to just the form fields with sensitive data. Companies can also remove the ability to ‘show password’.’ That won’t prevent spell-jacking, but it will prevent user passwords from being sent,”otto-js explains.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

New macOS Malware Exploits Apple’s Security Features to Stay Hidden and Steal User Data

A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways