Spell-checking features present in both the Google Chrome and Microsoft Edge browsers are leaking sensitive user information — including username, email, and passwords — to Google and Microsoft, respectively, when people fill in forms on popular websites and cloud-based enterprise apps.

The issue — dubbed "spell-jacking" by researchers at client-side security firm Otto JavaScript Security (Otto-js) — can expose personally identifiable information (PII) from some of the most widely used enterprise applications, including Alibaba, Amazon Web Services, Google Cloud, LastPass, and Office 365, according to a blog post published Sept. 16.

Otto-js co-founder and CTO Josh Summit discovered the leakage — which occurs specifically when Chrome's Enhanced Spellcheck and Edge's MS Editor are enabled on browsers —
while conducting research on how browsers leak data in general.

Summit found that these spell-check features send data to Google and Microsoft that's entered into form fields — such as username, email, date of birth, and Social Security number — when someone fills out these forms on websites or Web services while using the browsers, the researchers said.

Chrome and Edge also will leak user passwords if the "show password" feature is clicked when someone enters a password into a site or service, sending that data to Google and Microsoft's third-party servers, they said.

Where the Privacy Risk Lies

Otto-js researchers, who posted a video on YouTube demonstrating how the leakage occurs, tested more than 50 websites that people use daily or weekly that have access to PII. They broke 30 of those into a control group spanning six categories — online banking, cloud office tools, healthcare, government, social media, and e-commerce — and selected websites for each category based on the top ranking in each industry.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when "show password" was clicked. Moreover, the ones that did not send passwords had not actually mitigated the issue; they just lacked the "show password" feature, the researchers said.

Of the websites that the researchers investigated, Google is the only one that already had fixed the issue for email and some services. Otto-js found that the company's Web service Google Cloud Secret Manager remains vulnerable, however.

Meanwhile, Auth0, a popular single sign-on service, was not in the control group that the researchers had investigated but was the only website other than Google that had correctly mitigated the issue, they said.

Google's Enhanced spell-check feature, which requires an opt-in from the user, handles the data in an anonymized way, according to a Google spokesperson.

"The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily," he tells Dark Reading. "To further ensure user privacy, we will be working to exclude passwords proactively from spell check. We appreciate the collaboration with the security community, and we are always looking for ways to better protect user privacy and sensitive information."

Users of a number of enterprise cloud-based applications also are at risk when entering forms while using the apps on Chrome and Edge if the spell-check features are enabled. Of those aforementioned services, security teams from Amazon Web Services (AWS) and LastPass responded to Otto-js and already have remedied the issue, the researchers said.

Where Does the Data Go?

One big question that arises is what happens to the data once it's received by Google and Microsoft, which the researchers said they can't clearly answer.

At this point, no one knows if the data is being stored on the receiving end or, if this is the case, who is managing its security, the researchers noted. It's also not clear if the data is managed with the same level of security as known sensitive data such as passwords, or if it's being used by product teams as metadata for refining models, they said.

Either way, researchers observed that the issue once again raises the concern about technology companies such as Google and Microsoft having so much access to sensitive information about customers, employees, and companies, particularly when it comes to passwords.

"Passwords are meant to be a secret you share with the party you intended, and no one else," they wrote in the post. "A shared secret should be hashed and irreversible, but this feature violates a fundamental security principle of 'need-to-know' and could be considered a violation of privacy."

Easily Overlooked Issue

Moreover, the data leakage can be widespread for users or enterprises for a number of reasons, the researchers noted. One is that because the browser features that expose the data are actually helpful to users, they are likely to be turned on and exposing data without a user's knowledge.

"What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background," Summit says.

The password exposure also occurs as an "unintended interaction" between browser spell-check and a website feature, making it something that might easily fly under the radar, notes Walter Hoehn, vice president of engineering at Otto-js

"The enhanced spell-checking features in Chrome and Edge offer a significant upgrade over the default dictionary-based methods," he says. "Likewise, websites that provide the option of displaying passwords in cleartext are more usable, especially for those with disabilities."

Path of Mitigation

Even if a website or service has not fixed the issue from its side, enterprises can mitigate the risk of sharing their customers' PII entered into forms by adding "spellcheck=false" to all input fields, although this could create problems for users, researchers acknowledged.

Alternatively, enterprises can just add the command only to form fields with sensitive data to remove the risk, or they could take away the "show password" feature in their forms, they said. This won't prevent spell-jacking, but it will prevent passwords from being sent, the researchers said.

Companies also can mitigate internal exposure of company-owned accounts by implementing endpoint security precautions that disable enhanced spellcheck features and limiting employees from installing unapproved browser extensions, according to Otto-JS.

Consumers can mitigate their own risk of having their data sent to Microsoft and Google without their knowledge by going into their browsers and disabling the respective spell-check culprits, the researchers added.