Google, Microsoft can get your passwords through web browser spell checker

Extensive spell-checking features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and, in some cases, passwords, to Google and Microsoft, respectively.

While this may be a known and intended feature of these web browsers, it raises concerns about what happens to the data after transmission and the security of the practice, particularly with regard to password fields.

Chrome and Edge ship with basic spell checkers enabled. However, features such as Chrome’s enhanced spell checker or Microsoft’s editor, when manually enabled by the user, pose this potential privacy risk.

Spell-jacking: It’s your spell checker sending PII to Big Tech

When using major web browsers such as Chrome and Edge, your form data is passed to Google and Microsoft, respectively, in case enhanced spell checking features are enabled.

Depending on the website you are visiting, form data may include PII, including but not limited to Social Security Numbers (SSN)/Social Security Numbers (SIN), name, address , e-mail, date of birth (DOB), contact details, bank details and payment information, etc.

Josh Summitt, co-founder and CTO of JavaScript security firm otto-js, discovered this problem while testing his company’s script behavior detection.

In cases where Chrome Enhanced Spellcheck or Edge’s Microsoft Editor (spellchecker) were enabled, “essentially everything” typed into form fields in those browsers was passed to Google and Microsoft.

“Additionally, if you click ‘Show Password’, the enhanced spell checker even sends your password, essentially Spell Jacking your data,” otto-js explains in a blog post.

“Some of the world’s largest websites are at risk of Google and Microsoft sending users confidential personal information, including usernames, emails, and passwords, when users log in or fill out forms. An even bigger concern for businesses is the exposure this presents to business operations. credentials to internal assets such as databases and cloud infrastructure. »

Alibaba login form fields, with “show password” enabled (otto-js)
Improved spell checker forwards password to Microsoft and Google
Chrome’s improved spell checker passes password to Google (otto-js)

Users can often rely on the “show password” option on sites where copying and pasting passwords isn’t allowed, for example, or when they suspect they’ve misspelled it.

To demonstrate this, otto-js shared an example of a user entering their Alibaba Cloud Platform credentials in the Chrome web browser, although any website can be used for this demonstration.

When Enhanced Spell Checker is enabled, and assuming the user pressed the “Show Password” function, the form fields, including username and password, are passed to Google in googleapis.com.

The company also shared a demo video:

BleepingComputer also observed that credentials were passed to Google during our tests using Chrome to visit important sites such as:

  • CNN: username and password when using “show password”
  • Facebook.com: username and password when using “Show password”
  • SSA.gov (Social Security Login) – Username field only
  • Bank of America: username field only
  • Verizon – Username field only

A simple HTML solution: ‘spellcheck=false’

Although form fields are transmitted securely over HTTPS, it may be unclear what happens to the user’s data once it reaches the third party, in this example, the Google server.

“The Enhanced Spell Check feature requires a user subscription,” a Google spokesperson confirmed to BleepingComputer. Note that this contrasts with the basic spell checker which is enabled in Chrome by default and does not pass data to Google.

To check if enhanced spell checking is enabled in your Chrome browser, copy and paste the following link into your address bar. You can then choose to enable or disable it:

chrome://settings/?search=Spell check+enhanced

improved chrome spell check settings
Enhanced spell check setting in Chrome must be enabled (Computer Beep)

As the screenshot shows, the feature’s description explicitly states that with enhanced spell checking enabled, “text you type in the browser is sent to Google.”

“The text entered by the user may be sensitive personal information and is not linked to any user identity by Google and is only temporarily processed on the server by Google. To further ensure user privacy, we will work to proactively exclude passwords from the spell checker.” Google continued in its statement shared with us.

“We value collaboration with the security community and are always looking for ways to better protect user privacy and sensitive information. »

As for Edge, Microsoft Editor’s spelling and grammar checker is a browser plugin that must be explicitly installed for this behavior to occur.

BleepingComputer contacted Microsoft long before publication. We were told the matter was under investigation, but have yet to hear back.

otto-js called the attack vector “Spell-jacking” and raised concerns for users of cloud services such as Office 365, Alibaba Cloud, Google Cloud – Secret Manager, Amazon AWS – Secrets Manager, and LastPass.

In response to the otto-js report, AWS and LastPass have mitigated the issue. In the case of LastPass, the remedy was achieved by adding a simple HTML attribute spell checker = “false” in the password field:

last pass password field
LastPass “password” field now includes HTML attribute spellcheck=false (Computer Beep)

The “spell checker” HTML attribute when omitted from form text input fields is generally assumed by web browsers to be true by default. An input field with a “spell checker” explicitly set to fake it will not be processed by a web browser’s spell checker.

“Companies can mitigate the risk of sharing their customers’ PII by adding ‘spellcheck=false’ to all input fields, although this can create problems for users,” says otto-js, referring to the fact that users are now they won’t. able to run your typed text through the spell checker.

“Alternatively, you can add it only to form fields containing sensitive data. Companies can also remove the “Show Password” capability. It won’t prevent spelling, but it will prevent users’ passwords from being sent. »

Ironically, we note that the Twitter login form, which comes with the “show password” option, has the “spell checker” HTML attribute of the password field explicitly set to true:

twitter spell check field
Twitter password field contains “Show password” and spell checker is set to “true” (Computer Beep)

As additional protection, Chrome and Edge users can disable enhanced spell checking (following the steps above) or remove the Microsoft Editor plugin from Edge until both companies have reviewed extended spell checkers to exclude the processing of sensitive fields, such as passwords.

Leave a Comment