Google, Microsoft can get your passwords through web browser spell checker

Extensive spell-checking features in Google Chrome and Microsoft Edge web browsers pass form data, including personally identifiable information (PII) and, in some cases, passwords, to Google and Microsoft respectively.

While this may be a known and intended feature of these web browsers, it raises concerns about what happens to the data after transmission and the security of the practice, particularly with regard to password fields.

Chrome and Edge ship with basic spell checkers enabled. However, features such as Chrome’s enhanced spell check or Microsoft Editor, when manually enabled by the user, pose this potential privacy risk.

Spell-jacking: It’s your spell checker sending PII to Big Tech

When using major web browsers such as Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, if enhanced spell checking features are enabled.

Depending on the website you are visiting, the form data may itself include PII, including but not limited to Social Security Numbers (SSN)/Social Insurance Numbers (SIN), name , address, email, date of birth (DOB), contact details, bank and payment information, etc.

Josh Summitt, co-founder and CTO of JavaScript security firm otto-js discovered this issue while testing his company’s scripting behavior detection.

In cases where Chrome’s enhanced spellcheck or Edge’s Microsoft editor (spell checker) were enabled, “essentially everything” typed into form fields in those browsers was passed to Google and Microsoft.

“Plus, if you click ‘show password’, the enhanced spell checker even sends your password, essentially Spell-Jack your data,” otto-js explains in a blog post.

“Some of the world’s largest websites are at risk of sending sensitive user PII to Google and Microsoft, including username, email and passwords, when users log in or fill out forms. An even bigger concern for enterprises is the exposure this presents to the enterprise’s corporate credentials to internal assets such as databases and cloud infrastructure.”

Alibaba Login Form Fields
Alibaba login form fields, with “show password” enabled (otto-js)
Improved spell checker forwards password to Microsoft and Google
Chrome’s improved spell checker passes password to Google (otto-js)

Users can often rely on the “Show password” option on sites where copying and pasting passwords is not allowed, for example, or when they suspect they have entered it incorrectly. .

To demonstrate, otto-js shared an example of a user entering credentials on the Alibaba Cloud Platform in the Chrome web browser, although any website can be used for this demonstration .

When Enhanced Spell Check is enabled, and assuming the user has pressed the “Show Password” function, the form fields, including username and password, are passed to Google at the address googleapis.com.

A demo video was also shared by the company:

BleepingComputer also observed credentials being passed to Google in our tests using Chrome to visit major sites such as:

  • CNN—username and password when using “show password”
  • Facebook.com—username and password when using “show password”
  • SSA.gov (Social Security Login)—username field only
  • Bank of America—username field only
  • Verizon—username field only

A simple HTML solution: ‘spellcheck=false’

Although form fields are transmitted securely over HTTPS, it may not be clear what happens to the user’s data once it reaches the third party, in this example , the Google server.

“The Improved spell check feature requires user consent,” a Google spokesperson confirmed to BleepingComputer. Note that this contrasts with the basic spell checker which is enabled by default in Chrome and does not pass data to Google.

To check if enhanced spell checking is enabled in your Chrome browser, copy and paste the following link into your address bar. You can then choose to enable or disable it:

chrome://settings/?search=Enhanced+Spell+Check

chrome enhanced spell check setting
Improved spell check setting in Chrome must be enabled (Computer Beep)

As the screenshot shows, the feature’s description explicitly states that with enhanced spell checking enabled, “text you type in the browser is sent to Google.”

“The text entered by the user may be sensitive personal information and Google does not associate it with any user identity and only temporarily processes it on the server. To further ensure user privacy, we will do our best to exclude proactively spell check passwords,” Google continued in its statement shared with us.

“We value collaboration with the security community and are always looking for ways to better protect user privacy and sensitive information.”

As for Edge, Microsoft Editor’s spelling and grammar checker is a browser add-on which must be explicitly installed for this behavior to occur.

BleepingComputer contacted Microsoft well in advance of publication. We were told that the matter was under review, but we have not yet received a response.

otto-js dubbed the attack vector “Spell-jacking” and expressed concern for users of cloud services like Office 365, Alibaba Cloud, Google Cloud – Secret Manager, Amazon AWS – Secrets Manager, and LastPass.

Reacting to the otto-js report, AWS and LastPass have mitigated the issue. In the case of LastPass, the remedy was found by adding a simple HTML attribute spell checker=”false” in the password field:

lastpass password field
LastPass “password” field now includes HTML attribute spellcheck=false (Computer Beep)

The “spellcheck” HTML attribute when omitted from form text input fields is generally assumed by web browsers to be true by default. An input field with ‘spellcheck’ explicitly set to fake will not be processed by a web browser’s spell checker.

“Companies can mitigate the risk of sharing their customers’ PII – by adding ‘spellcheck=false’ to all input fields, although this can create problems for users,” says otto-js, referring to the fact that users will no longer be able to run their text entered through the spell checker.

“You can also add it only to form fields that contain sensitive data. Companies can also remove the ability to ‘show password’. This won’t prevent spell-jacking, but it will prevent sending user passwords.”

Ironically, we observed that the Twitter login form, which comes with the “show password” option, has the “spell check” HTML attribute of the password field explicitly set to true:

twitter spell check field
Twitter password field has “show password” and spellcheck is set to true (Computer Beep)

As an added protection, Chrome and Edge users can disable Enhanced Spell Check (following the steps above) or remove Microsoft Editor add-on from Edge until the two companies overhauled extended spell checkers to exclude processing of sensitive fields, like passwords.

Comments are closed.