Google Chrome and Microsoft Edge recently introduced a more powerful spell checker that should contribute to better writing, however, according to the otto-js research team, these mechanisms have also been exposed that allow both corporations to send sensitive data such as email addresses, usernames, dates of birth, social security numbers , contact details, payment details, other sensitive identification details (such as DNI in Spain) and even a password if you use a feature that allows it to be displayed.

otto-js found that depending on the web pages the user visits (that is, not all web pages are filtered), Improved spell checking for Google Chrome and Microsoft Edge Editor (also improved spell check) can send virtually any data that the user enters into the forms to the responsible companies.

Email is not particularly compromising without a password, and if a strong password is used that is hard to brute force (more than a dozen characters and a combination of letters, numbers, and weird characters), but It is not good that data such as password, DNI, social security number and payment numbers end up on Google and Microsoft servers without warning the user..

As we said before, the password problem seems to have another requirement, which is to use a feature that allows it to be displayed, which is generally used to see if it was entered correctly in an environment where the user is alone. Researchers tested Alibaba’s login form.

Websites capable of reproducing data breaches include Office 365, Alibaba cloud service, Google Cloud, Amazon Web Services (AWS), and password manager LastPass. As stated by otto-js via updates to the entry posted on its official blog, the latter two have implemented the necessary mitigations to prevent another leak. They added to that spellcheck=false in all input fields in forms to disable spell checking.

Media BleepingComputer also conducted further investigation, with which it was able to add CNN, Facebook, SSA.gov (Social Security of the United States), Bank of America, and Verizon to the otto-js list, so these websites are also inadvertently contributing to the data breach , which should be exclusively private to the user.

In total, otto-js examined more than 50 websites and divided 30 of them into a control group covering six categories, which are online banking, cloud office tools, medical services, government, social media and e-commerce. Of these 30 websites belonging to the control group, 96.7% send personal data to Google and Microsoft servers through enhanced spell checking.. Second, when using the show password feature, 73% end up revealing it.

How to not have enhanced spell check in Google Chrome and Microsoft Edge

Fortunately, the bug is localized to a very specific feature that can be easily disabled. To protect privacy and above all to avoid sending personal data to the wrong person, we recommend following these steps.

on the edge, Microsoft Publisher it’s actually an extension that installs itself, although the browser also apparently has an implementation present under “Use typing assistance” in the Languages ​​section, which is checked by default. For greater security, it would be advisable to use basic control or turn off typing assistance completely.

in Google Chrome the process is similar and also not something that is enabled by default. In the same Languages ​​section, you need to check “Basic Spell Check” unless you choose to disable it completely.

It seems that disabling spell checking from web forms themselves will have to become the standard for more effective user protection, although this does not mean that users will not have to take the necessary precautions. You know, when it comes to privacy and security, all measures taken are small in the end.