Google Chrome and Microsoft Edge recently introduced more powerful spell checkers that should contribute to better writing, however, according to the otto-js research team, these have also been revealed as mechanisms that allow the two corporations to send sensitive data such as email addresses, usernames, dates of birth, social security numbers, contact information, payment data, other sensitive identification data (such as the DNI in Spain) and even the password in case of using the feature that allows it to be displayed.
otto-js has discovered that, depending on the website the user visits (that is, filtering does not occur with all websites), the Improved spell checker for Google Chrome and Microsoft Edge Editor (also an improved spell checker) are able to send the responsible companies practically any data that the user enters in the forms.
Email is not something especially compromising without the password and if a strong one is used that is difficult to break by brute force (more than a dozen characters and combining letters, numbers and strange characters), but It is not a dish of good taste that data such as the password, the DNI, the social security number and the payment numbers end up on the servers of Google and Microsoft without warning the user.
As we have already said, the password issue seems to have an additional requirement, and that is to use the feature that allows it to be displayed, which is generally used to see if it has been typed correctly in an environment in which the user is alone. The researchers have tested the Alibaba login form.
Websites capable of reproducing data breaches include Office 365, Alibaba’s cloud service, Google Cloud, Amazon Web Services (AWS), and password manager LastPass. As reported by otto-js through updates to the entry published on its official blog, the last two have introduced the necessary mitigations to prevent the leak from happening again. For this they have added spellcheck=false in all input fields on your forms to block spell checking.
The BleepingComputer medium has also carried out another investigation with which it has been able to add CNN, Facebook, SSA.gov (Social Security of the United States), Bank of America and Verizon to the list of otto-js, so those websites they are also contributing, unintentionally, to leaking data that should be exclusively private to the user.
In total, otto-js has investigated more than 50 websites and divided 30 of them into a control group covering six categories, which are Online Banking, Cloud Office Tools, Medical Services, Government Institutions, Social Media and electronic commerce. Of those 30 websites belonging to the control group, 96.7% send personal data to Google and Microsoft servers through the enhanced spell checker. Secondly, when using the show password feature, 73% end up leaking it.
How to not have the enhanced spell checker in Google Chrome and Microsoft Edge
Luckily, the bug is localized to a very specific feature that can be easily disabled. We recommend following these steps to protect privacy and above all to prevent personal data from being sent to the wrong person.
at edge, Microsoft Publisher it is actually an extension that is installed separately. Although the browser also has an implementation present in “Use typing assistance”, within the Languages ​​section and which is checked by default, it does not seem to reproduce the bug. Regardless, and for added security, it would be a good idea to use basic proofing or disable typing assistance altogether.
In Google Chrome the process is similar and it is also not something that is enabled by default. In the same Languages ​​section, you must mark “Basic spell check” if you do not opt ​​for total disabling.
It seems that the disabling of spell checking from the web forms themselves will have to become a standard in order to more effectively protect users, although that does not mean that users do not have to take the necessary measures. You know, when it comes to privacy and security, every precaution that is taken ends up being little.
NOTICE: The article has been corrected on September 19, 2022 at approximately 8:20 p.m.
