Chrome and Microsoft Edge Spellcheck Feature Can Retrieve User Passwords
Recent research shows that Google Chrome and Microsoft Edge extended spellcheck features transmit sensitive user data to both of the web browser parent companies, including personally identifiable information (PII) and passwords.
However, their advanced counterparts, which require manual activation, engage in sensitive data transmission to Microsoft and Google. Chrome’s Enhanced Spellchecker and Microsoft Editor transmit form data to the parent companies after being enabled.
The transmitted data type depends on the visited website and may include names, email addresses, bank and payment details, Social Security numbers (SSN), contact information, and Social Insurance numbers (SIN). Otto-js’s research team dubbed the attack vector spell-jacking.
“If 'show password' is enabled, the feature even sends your password to their 3rd-party servers,” otto-js said in a blog post. “While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background.”
Otto-js’s research highlighted several company websites that might put customer PII at risk. According to the company’s report, some already mitigated the issue after being notified about the findings. However, the number of websites susceptible to spell-jacking is far more significant.
On Chrome, you can check if the Enhanced Spell Check feature is enabled in your browser by heading to the Languages category in the app configuration screen. Alternatively, you could copy and paste the following code into your browser address bar:
At the bottom of the screen, there should be two radio buttons, allowing you to switch between the basic and enhanced versions of the feature.
Microsoft Edge users merely need to check if the Microsoft Editor: Spelling & Grammar Checker addon is installed and enabled in their browsers.
Dedicated software solutions such as Bitdefender Ultimate Security can help you steer clear of cyber threats and keep your personal data safe, with features like:
- Complete real-time threat protection against worms, viruses, Trojans, ransomware, rootkits, spyware, and other cyber threats
- Real-time fraud monitoring that helps you dodge scam attempts from shady organizations
- SSN tracker that notifies you if an unknown address, alias, or name is associated with your SSN
- Identity alert module that protects you against data breaches and identity theft attempts
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022