Google Chrome and Microsoft Edge are two Internet browsers that use extended spellcheck features to transmit form data, including Personally Identifiable Information (PII) and passwords to their parent companies. 

While this feature is intended to assist the browser user, it does raise privacy concerns and calls the efficacy of password protection to question.  

“Spell-jacking” is the term used to describe the process of a browser sending PII from spellcheck to Google, Microsoft, and the like. Transmitted PII form data can include Social Security Numbers, Social Insurance Numbers, personal names, addresses, e-mails, dates of birth, contact information, bank information, and so much more. 

Josh Summit, co-founder and CTO of JavaScript security firm otto-js, unearthed this issue while testing script behaviors for his company. When Google Chrome Enhanced Spellcheck or Microsoft Edge Editor is enabled, nearly everything you type in form fields is instantaneously transmitted to Google and Microsoft. Clicking on “show password” can spell-jack your data. 

Summit stated, “Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, e-mail, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company’s enterprise credentials to internal assets like databases and cloud infrastructure.” 

Though the transmission of form fields is securely sent through HTTPS, what happens to the user data after it reaches Google’s server, for example, is not exactly clear. Some companies have mitigated the issue by adding ‘spellcheck=false’ to all input fields; however, this could cause problems for users who can no longer use the spellcheck feature. 

Google Chrome and Microsoft Edge users can turn off spellcheck (or remove Edge’s Editor add-on) until the companies revise their code to exclude passwords and other PII from sensitive fields. 

Do you need assistance with adding or removing spellcheck from your browser? Has your data already been compromised? Contact the computer experts at CPS today – we can assist!  

Founded in 1994, Creative Programs and Systems provides professional results for all computer needs. We design, create, and code an array of custom software programs and websites; offer top-notch digital marketing services including enhanced Search Engine Optimization (SEO) and paid advertising; repair and provide support for computers of both residential and professional nature; build custom systems and servers, and offer secure data backups. Need assistance or want to learn more? Call us at 810-224-5252 or e-mail info@cpsmi.com.

Written by the digital marketing team at Creative Programs & Systems: https://www.cpsmi.com/