October 1, 2022

password

Google, Microsoft can get your passwords via a web browser’s spell check

Extended spell-checking features in Google Chrome and Microsoft Edge web browsers transfer form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft, respectively.

While this may be a well-known and intended feature of these web browsers, it does raise concerns about what happens to data after transmission and how secure this practice is, particularly when it comes to password fields.

Chrome and Edge both ship with basic spell-checkers enabled. But, features like improved spell checking in Chrome or Microsoft Editor when manually enabled by the user present these potential privacy risks.

Spell-jacking: This is the spell-checker that sends PII information to Big Tech

When using major web browsers such as Chrome and Edge, form data is sent to Google and Microsoft, respectively, if enhanced spell-checking features are enabled.

Depending on the website you are visiting, the form data itself may include personally identifiable information – including but not limited to Social Security Numbers (SSNs) / Social Security Numbers (SINs), name, address, email, date of birth (DOB) and contact information, Bank and payment information, etc.

Josh Summit, co-founder and chief technology officer of JavaScript security company OTTO-JS, discovered this issue while testing his company’s script behavior detection.

In cases where Chrome Enhanced Spellcheck or Edge’s Microsoft Editor (spelling checker) was enabled, “anything” entered in form fields in these browsers was sent to Google and Microsoft.

“Furthermore, if you click Show Password, the improved spell-checker sends your password, which is basically the spelling of your data,” explains otto-js at Blog post.

“Some of the largest websites in the world are subject to sending sensitive user PII information to Google and Microsoft, including username, email and passwords, when users log in or fill out forms. It is even more important for companies to disclose this to their credentials. Enterprise organization of internal assets such as databases and cloud infrastructure.”

Alibaba login form fields
Alibaba login form fields, with ‘Show password’ enabled (Otto-JS)
Improved spell checker transmits password to Microsoft and Google
Chrome’s improved spell checker transmits the password to Google (Otto-JS)

Users often rely on the “Show Password” option on sites where copying and pasting passwords is not allowed, for example, or when they suspect they’ve mistyped them.

To illustrate, otto-js has shared an example of a user entering a credential on Alibaba’s Cloud platform in the Chrome web browser – although any website can be used for this demo.

With Enhanced Spell Checking enabled, and assuming the user clicks Show Password, form fields including username and password are submitted to Google at googleapis.com.

A demonstration video has also been shared by the company:

BleepingComputer also noticed credentials being transferred to Google in our tests using Chrome to visit major sites like:

  • CNN – Username and Password when using Show Password
  • Facebook.com — Username and password when using Show Password
  • SSA.gov (Social Security Login) — Username field only
  • Bank of America – Username field only
  • Verizon – Username field only

Simple HTML solution: “Spelling = False”

Although form fields are transmitted securely over HTTPS, it may not be immediately obvious as to what happens to user data once it reaches the third party, in this example, the Google server.

“The Enhanced spelling feature Requires user to be enabled,” a Google spokesperson confirmed to BleepingComputer. Note that this conflicts with the basic spell checker that is enabled in Chrome by default and does not transfer data to Google.

To check if Enhanced spell checking is enabled in Chrome, copy and paste the following link into the address bar. You can then choose to turn it on or off:

chrome://settings/? search = Enhanced + Spell + Check

Chrome Enhanced Spelling Settings
The Enhanced Spell Check setting must be enabled in Chrome (computer sleeping)

As can be seen from the screenshot, the feature description explicitly states that with Enhanced Spell Checking enabled, “the text you type in the browser is sent to Google.”

“Text that a user types may be sensitive personal information that Google does not attach to any user identity and only processes it on the server temporarily. To further ensure user privacy, we will proactively exclude passwords from spell checking,” Google continued in its joint statement with us.

“We value the collaboration with the security community, and are always looking for ways to better protect user privacy and sensitive information.”

For Edge, Microsoft Editor Spelling & Grammar Checker is a file Browser addon that must be explicitly installed for this behavior to occur.

BleepingComputer contacted Microsoft in advance of publication. We were told that the matter is under consideration but have not yet received a response.

otto-js called the attack vector “Spell-jacking” and expressed its concern to users of cloud services such as Office 365, Alibaba Cloud, Google Cloud – Secret Manager, Amazon AWS – Secrets Manager and LastPass.

In response to the otto-js report, both AWS and LastPass mitigated the issue. In the case of LastPass, the remedy was reached by adding a simple HTML attribute spelling = “wrong” To the password field:

lastpass . password field
The LastPass ‘password’ field now includes spelling = wrong HTML attribute (computer sleeping)

The HTML attribute “Spelling” when left from form text input fields is Web browsers usually assume it to be true By default. Input field with Spell Check explicitly set to False It will not be processed by the web browser’s spell checker.

“Businesses can mitigate the risk of sharing personally identifiable information for their customers – by adding ‘spelling=false’ to all input fields, although this can create problems for users,” explains otto-js, referring to the fact, that they will not Users are now able to run text entered through the spelling checker.

Alternatively, you can only add it to form fields that contain sensitive data. Companies can also remove the ability to ‘show password.’

Ironically, we noticed the Twitter login form, which comes with a “show password” option, where the “spelling” HTML attribute of the password field is set to true:

Twitter spelling field
Twitter password field has “Show password” and spelling is set to “True” (computer sleeping)

As an extra precaution, Chrome and Edge users can turn off Enhanced Spell Check (following the steps above) or Remove the Microsoft Editor add-on from Edge The two companies even review extended spell-checkers to rule out processing sensitive fields, such as passwords.