Google Chrome and Microsoft Edge Are Vulnerable to Spell-Jacking: otto-js
Enhanced Spellcheck in Chrome and MS Editor in Edge can send form/field data, including personally identifiable information (PII) and user credentials, to third parties.
Advanced spell-check features in Google Chrome and Microsoft Edge could cause problems for users. Researchers at otto-js discovered that Enhanced Spellcheck in Chrome and MS Editor in Edge could inadvertently leak sensitive information to third parties such as Google and Microsoft servers.
otto-js, a JavaScript security company, found that these extended spell check features can come at the cost of user privacy. Both can send form/field data, including personally identifiable information (PII), to Google and Microsoft. Worryingly, they also pose a risk of spell-jacking, i.e., exposure of credentials if users click on view password.
Users necessarily have to enable the extended and not the basic spell check features available in Chrome and Edge. At-risk PII includes the users’ names, email IDs, dates of birth, social security numbers, or anything else they enter in the fields when extended spell check is enabled.
otto-js researchers discovered this security flaw while testing the company’s script behaviors detection. Josh Summitt, co-founder & CTO at otto-js, said, “What’s concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background.”
The company tested over 50 websites in different control groups across online banking, cloud office tools, healthcare government, social media, and eCommerce, 96.7% of which were leaking PII to Google and Microsoft through Enhanced Spellcheck in Chrome and MS Editor in Edge. Additionally, just over 73% of the websites tested sent passwords to Google and Microsoft.
Researchers highlighted the top five biggest websites: Office 365, Alibaba Cloud Service, Google Cloud Secret Manager, AWS Secrets Manager, and LastPass. The latter two have mitigated the issue as of this writing.
The fact that credentials can be exposed jeopardizes a company’s cloud infrastructure, including servers, databases, corporate email accounts, and password managers. “One of the most interesting things about this type of exposure is that it’s caused by the unintended interaction between two features that are, in isolation, both beneficial to users,” said Walter Hoehn, VP of engineering at otto-js.
See More: Five Chrome Extensions Found Collecting User Data Discreetly: Remove Them Now!
The company shared a demonstration video of spell-jacking on AWS Secrets Manager by tapping show password on Chrome and Edge:
Tests conducted on websites outside of the control groups revealed adult content and credit bureaus were leaking PII. However, porn sites were relatively safer as they didn’t have the show password option.
What can users do to prevent spell-jacking on Chrome and Edge?
In Chrome, spell check is enabled by default, but Enhanced Spell Check needs to be activated. Microsoft Editor is available as an add-on for Edge. So, keeping the Chrome settings for Enhanced Spell Check to default and not installing Editor in Edge should mitigate spell-jacking.
To check if Enhanced Spell Check is disabled in Chrome, click the vertical ellipsis on the top-right corner of a Chrome window > Settings > Languages > Spell check. Either disable it entirely or select the radio button next to ‘Basic spell check.’
However, websites can mitigate the issue by updating the HTML code and adding “spellcheck=false” to all input fields or just for sensitive ones. “Companies can also remove the ability to ‘show password.’ That won’t prevent spell-jacking, but it will prevent user passwords from being sent.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON CYBERSECURITY
