Google Chrome and Microsoft Edge Spell Check Could Reveal Passwords

Extended spell check features in Google and Microsoft web browser settings share personal data, including passwords.

It might be time to crack out the dictionary and update your cybersecurity training, as new research reveals that enhanced spell check features in Chrome and Edge could be stealing your personal data, including your password.

In a control group of 30 websites, including some of the largest websites in the world, the research team at cyber security firm otto-js, found that 96.7 percent of those websites sent data with Personally Identifiable Information (PII) back to Google and Microsoft when enhanced spell check features in Chrome and Edge were enabled.

Of those websites tested, 73 percent sent passwords when “show password” was clicked, presenting a significant security concern for company databases, cloud infrastructure and enterprise credentials. Given that a single breach can costs US businesses up to $10 million on average, this latest research just goes to show how important it is to keep your cyber security measures constantly up to date. Here's what we know.

What is Spell-Jacking?

The security leak, coined ‘spell-jacking' refers to the potential exposure of Personally Identifiable Information (PII) via Enhanced Spell Check features in Chrome and Microsoft Editor to third-party servers.

Research, conducted by security firm otto-js, found that in cases where Google Chrome's Enhanced Spell checker, and the Microsoft Edge equivalent (Edge Editor) were enabled, all information entered in any form field, including usernames, DOB, SSN and passwords (via the ‘Show Password' field) were transmitted to Google and Microsoft third-party servers, potentially exposing your data.

Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII (personally identifiable information), including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure.

While it's unclear whether the data collected by spell check is done so securely, one thing we do know is that the best way to secure your passwords is to keep it hidden.

How to Protect Your Data Online

The best way to protect business data and login credentials is by following good cyber security measures like signing up for a secure password manager, investing in antivirus software, encrypting your internet traffic and masking IPs with virtual private networks (VPNs). Unfortunately, in this case, cyber security measures aren't that simple.

Otto-js recommend website owners add “spellcheck=false” to all input fields to reduce the risk of sharing PII, and removing the ability to ‘show password' to prevent user passwords from being sent. Though implementing endpoint security solutions to disable enhanced spell check features may be your best bet.

The only upside with spell-jacking is that it in order to be at risk, users would need to manually enable the enhanced spell checker feature for it to be functional. Unfortunately it's very easy to enable, meaning users could have it running in the background without realising so its best to act preventively and be vigilant.

Written by:

Jade Artry is the Content Manager for Tech.co. She has 13+ years experience in the digital marketing industry, covering a wealth of topics including travel, cyber security, social media, email marketing, business and emerging technologies. She's worked with brands including the Red Cross, Kayak, Virgin Atlantic and British Airways, and now uses her digital expertise to advise on the best tools to help grow your business.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals