2 min read

Chrome and Microsoft Edge Spellcheck Feature Can Retrieve User Passwords

Vlad CONSTANTINESCU

September 19, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Chrome and Microsoft Edge Spellcheck Feature Can Retrieve User Passwords

Recent research shows that Google Chrome and Microsoft Edge extended spellcheck features transmit sensitive user data to both of the web browser parent companies, including personally identifiable information (PII) and passwords.

The research, conducted by co-founder and CTO of JavaScript security firm otto-js, Josh Summitt, didn’t expose a critical vulnerability. Still, it did address some concerns regarding the safety of the transmitted data, especially user credentials. Summitt made the discovery while assessing the company’s script behavior detection. Both Chrome and Edge web browsers encompass basic spellcheckers enabled by default.

However, their advanced counterparts, which require manual activation, engage in sensitive data transmission to Microsoft and Google. Chrome’s Enhanced Spellchecker and Microsoft Editor transmit form data to the parent companies after being enabled.

The transmitted data type depends on the visited website and may include names, email addresses, bank and payment details, Social Security numbers (SSN), contact information, and Social Insurance numbers (SIN). Otto-js’s research team dubbed the attack vector spell-jacking.

“If 'show password' is enabled, the feature even sends your password to their 3rd-party servers,” otto-js said in a blog post. “While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background.”

Otto-js’s research highlighted several company websites that might put customer PII at risk. According to the company’s report, some already mitigated the issue after being notified about the findings. However, the number of websites susceptible to spell-jacking is far more significant.

On Chrome, you can check if the Enhanced Spell Check feature is enabled in your browser by heading to the Languages category in the app configuration screen. Alternatively, you could copy and paste the following code into your browser address bar:

chrome://settings/?search=Enhanced+Spell+Check

At the bottom of the screen, there should be two radio buttons, allowing you to switch between the basic and enhanced versions of the feature.

Microsoft Edge users merely need to check if the Microsoft Editor: Spelling & Grammar Checker addon is installed and enabled in their browsers.


Dedicated software solutions such as Bitdefender Ultimate Security can help you steer clear of cyber threats and keep your personal data safe, with features like:

  • Complete real-time threat protection against worms, viruses, Trojans, ransomware, rootkits, spyware, and other cyber threats
  • Real-time fraud monitoring that helps you dodge scam attempts from shady organizations
  • SSN tracker that notifies you if an unknown address, alias, or name is associated with your SSN
  • Identity alert module that protects you against data breaches and identity theft attempts

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities
Vlad CONSTANTINESCU

September 30, 2022

2 min read
US Taxpayers Urged to Stay Vigilant as Major IRS-Themed Smishing Campaign Unfolds US Taxpayers Urged to Stay Vigilant as Major IRS-Themed Smishing Campaign Unfolds
Filip TRUȚĂ

September 29, 2022

1 min read
Auth0 Discloses Security Incident, Says Source Code Repos Were Likely Stolen Auth0 Discloses Security Incident, Says Source Code Repos Were Likely Stolen
Vlad CONSTANTINESCU

September 29, 2022

1 min read