When these enhanced spell check and grammar tools are turned on, any personal information you type, including passwords, can be seen and shared.
Google Chrome and Microsoft Edge have a significant security issue that allows personal information, including passwords, to be transferred in cleartext.
According to TechRadar, “Spell-Jacking” was found by JavaScript security startup otto-js. The problem is Chrome’s Enhanced Spellcheck and Edge’s Microsoft Editor, which are deactivated by default. Microsoft Editor requires an add-on.
When enabled, Google and Microsoft receive user data. All organizations collect user data to improve a feature’s performance. In this instance, a user’s personal information is also shared in cleartext. Username, password, email address, date of birth, SSN, payment details, etc.
How it works…
Google told Bleeping Computer that enhanced spell check is opt-in and warns users that their input data is shared to servers. This reduces the problem’s initial scope. The business acknowledged that the data may be sensitive, so text isn’t linked to a user’s identity and is only temporarily saved on Google’s computers. The corporation also promised to stop processing passwords proactively.
Microsoft Editor’s browser extension has the same issue, according to the inquiry. This is expected since Microsoft uses cloud-based processing to improve spelling, style, and grammar checks.
Given that Microsoft and Google are upfront about text you type being transferred to their servers, no one should be surprised if their passwords are sent along with other content. Even though both have solid privacy standards, neither spell checker should be used if you often handle personal information. You give a third party access to anything you input. This analysis has shown several flaws with cloud-based spell checking, but they should be expected.
If you use a password manager, you should be safe when using Chrome’s spell check or Microsoft Editor. You’ll only copy and paste passwords or use autofill. There are tools that sync your clipboard between devices. If you use any of these, your credentials could end up on a company’s server.
Read More: