Skip to main content

Spell-jacking in well known browsers

Advisory thumbnail

23 SEP 2022

BACKGROUND
Researchers have found that add-on spellchecking features added to popular web browsers Google Chrome and Microsoft Edge have been leaking sensitive information back to their parent companies Google and Microsoft respectively. The transmitted data includes Personally Identifiable Information (PII) such as name, address, email, date of birth, contact information, bank and payment information, username and passwords.

Both browsers have basic built-in spellcheckers enabled by default, which do not transmit data back to Google or Microsoft. However, Chrome's 'Enhanced Spell Check" and Edge's 'Microsoft Editor' are manually enabled by the user.


IMPACT

  • Data Leakage 
  • Exposure of personal information


RECOMMENDATIONS

  • Web developers to include “spellcheck=false” to any input fields that may require sensitive information, in order to effectively block out fields from spellchecking tools. This will mean that spellchecking will be disabled in these entries.
  • Temporarily disable enhanced spellcheckers or remove it entirely from the browser.
  • Microsoft Edge
    Turn off the Writing Assistance Setting
    1. Go to Settings
    2. Click Languages.
    3. Under Use Writing Assistance, toggle it off.
  • Google Chrome
    1. Go to chrome://settings/languages
    2. To disable "Enhanced Spell Check" in Chrome, select Basic spell check or toggle off Spell Check.
  • After turning off these add-on spell check features, it is advisable to change your online passwords.

 

REFERENCES