Published by: otto-js Research Team | September 16, 2022
Chrome's enhanced spellcheck & Edge's MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you're logging into from either of those browsers when the features are enabled. Furthermore, if you click on "show password," the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.
Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure.
Image 1: Alibaba Company Cloud Account
Image 2: shows employee credentials(password) being sent to Google while logging into the company's Alibaba Cloud Account.
otto-js co-founder & CTO Josh Summitt discovered the spellcheck leak while testing the company's script behaviors detection.
"If 'show password' is enabled, the feature even sends your password to their 3rd-party servers. While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background." Josh Summitt
Spell-Jacking could spell big trouble for consumers and major industries when it comes to privacy, data protection, and client-side security.
5 of the top concerning websites/services with exposure for enterprise companies are:
*Update: both security teams from AWS and LastPass have responded to the outreach and both have already mitigated the issue.
- Office 365
- Alibaba - Cloud Service
- Google Cloud - Secret Manager
- AWS - Secrets Manager (UPDATE: has already fully mitigated the issue)
- LastPass (UPDATE: has already fully mitigated the issue)
Image 3: otto-js researchers confirmed that LastPass has fully mitigated.
Worth mentioning, LastPass was the first to respond to outreach and first to fully mitigate the risk.
“It is disconcerting that customers can inadvertently expose confidential data by enabling innocuous browser features and not understand that anything they type — including passwords — could result in that data being sent to third parties.”
Christofer Hoff – Chief Secure Technology Officer, LastPass
otto-js researchers created a video demo to illustrate how spell-jacking could easily expose a company's cloud infrastructure (servers, databases, corporate email accounts, and password managers).
Video: In this video, an employee has enabled enhanced spellcheck features as he creates a document. Note that the feature is now enabled and will be enabled for all sites this user visits until he returns to settings and disables.
In this video, the company's enterprise database credentials are being spell-jacked when the employee switches over to the company's cloud services account and clicks "show password," which then shows the password being sent to Google.
The video uses a common scenario in the workplace to illustrate how easy it is to enable the browser-enhanced spellcheck features and how an employee could expose the company without ever knowing it. Most CISOs would be extremely alarmed to learn that their company's administrative credentials were unwittingly shared in cleartext with a third party, even one they generally trust.
Walter Hoehn, otto-js VP of Engineering notes
"One of the most interesting things about this type of exposure is that it's caused by the unintended interaction between two features that are, in isolation, both beneficial to users. The enhanced spellchecking features in Chrome and Edge offer a significant upgrade over the default dictionary-based methods. Likewise, websites that provide the option of displaying passwords in cleartext are more usable, especially for those with disabilities. It's when they are used together that the actual password exposure happens."
How many major websites that you visit daily are inadvertently Spell-jacking your data?
otto-js tested more than 50 websites and broke 30 of those into a control group spanning six categories of websites people use daily or weekly and which have access to highly sensitive PII data. Five websites per category were selected based on top ranking in each industry and tested to create a benchmark of how much exposure might be happening.
- Online Banking
- Cloud Office Tools
- Social Media
Of the 30 control group websites tested, 96.7 percent sent data with PII back to Google & Microsoft.
73 percent sent passwords when "show password" was clicked; note that ones that did not send passwords had not mitigated the issue; they just lacked the "show password" feature.
The only control group website tested that had mitigated the issue was Google. Though Google did mitigate the issue for email and some services, they have not mitigated it for some of their services like Google Cloud' Secret Manager.' Auth0, a popular single-sign-on service, was not in the control group but was the only website other than Google that had correctly mitigated the issue.
Maggie Louie co-founder & CEO
"Some industries we looked at (outside the control group) included adult content (top porn sites) and credit bureaus. That may not be concerning when we're talking about Google and Microsoft, but in the wrong hands, could a text reader or browser extension with the same enhanced features be used for context-aware surveillance?"
None of the adult content sites tested sent passwords because they did not have the "show password" feature, but all sent data and some PII to Google & Microsoft.
How to mitigate Spell-jacking
Companies can mitigate the risk of sharing their customers' PII - by adding "spellcheck=false" to all input fields, though this could create problems for users. Alternatively, you could add it to just the form fields with sensitive data. Companies can also remove the ability to "show password." That won't prevent spell-jacking, but it will prevent user passwords from being sent. Companies can also use client-side security software like otto-js to monitor and control third-party scripts.
Companies can mitigate internal exposure of company-owned accounts by implementing endpoint security solutions that disable enhanced spellcheck features and limiting employees from installing unapproved browser extensions.
Consumers can disable the feature by going into the Chrome settings and then “Sync and Google Services” which is a bit unintuitive. Then scroll down to the bottom of the page and disable enhanced spelling features. Here is a link to Google’s documentation for various versions and devices Disable Enhanced Spellcheck
Note that the enhanced spellcheck features are not the default setting, but once enabled will remain so until disabled. You can also install otto-js' free Chrome extensions to receive alerts when you are on a website that has the risk of data leaks caused by enhanced spellcheck. For users who rely on these features this option would allow you to leave them on but get reminded when you are on a page that you might enter sensitive data. Both apps provide alerts and quick tips to disable.
otto-js ShopSecure - free browser protection for shoppers
otto-js Developer Tools - free runtime script testing tools
Who has access to the data being sent to spellcheck?
It's unclear if the data is being stored and, if so, who manages the security of the data collected by the enhanced spellcheck features. It's also unclear if the data is managed with the same level of security as known sensitive data like passwords, or maybe by a product team, as metadata for refining models.
While Google & Microsoft are both trusted companies, you may not want them to collect information about your customers, employees, or company, and you most likely don't want these features sending passwords. Passwords are meant to be a secret you share with the party you intended, and no one else. A shared secret should be hashed and irreversible, but this feature violates a fundamental security principle of "need-to-know" and could be considered a violation of privacy. This edge case is unique, unexpected, and easy to fix. However, this is just the beginning of unforeseen risks related to massive dependencies on the interconnected economy of microservices, integrated applications, browser extensions, and online payments, all powered by a supply chain of third-party scripts, all capable of getting access to the same sensitive data.
otto-js has notified Google and Microsoft about the enhanced feature issue as well as the companies with the most significant exposure to other enterprise companies.
Check your website for exposure to spell-jacking or any other credential leaks to third-party scripts, visit: otto-js.com scan site, or contact [email protected]
To check the list for your company contact
Technical support: [email protected]
To check your website visit otto-js.com