Enhanced spellcheck features in Google Chrome and Microsoft Edge web browsers send form data, including personally identifiable information (PII) like username and email, as well as passwords (in some cases), to Google and Microsoft respectively, a new report from JavaScript security firm Otto-js revealed.
The researchers analyzed more than 50 websites and broke 30 of those into a control group spanning six categories: online banking, cloud office, tools, healthcare, government, social media, and eCommerce. Of those, 96.7% transmitted data with PII to Google and Microsoft.
It was also found that 73% of sites tested sent passwords when “show password” was clicked.
“If 'show password' is enabled, the feature even sends your password to their 3rd-party servers. While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background,” the researchers explained.
Otto-js said that top 5 websites/services with exposure that may present a risk for organizations include Microsoft Office 365, Alibaba - Cloud Service, Google Cloud - Secret Manager, AWS - Secrets Manager LastPass. Both AWS and LastPass have since addressed the issue.
The researchers said that organizations can minimise the risk of sharing their customers' PII by adding “spellcheck=false” to all input fields, or, alternatively, add it to just the form fields with sensitive data. Companies can also remove the “show password” function. This measure will not prevent spell-jacking, but it will prevent user passwords from being sent.