When manually enabled, both Chrome’s Enhanced Spellcheck and Microsoft Editor send your form data back to their parent companies, essentially spell-jacking the data.

What Is Spell-Jacking?

Spell-jacking refers to the exposure of Personally Identifiable Information (PII) through Enhanced Spellcheck feature in Chrome and Microsoft Editor.

Research by the JavaScript security firm otto-js found that all the data entered into any form field was transmitted to Google and Microsoft third-party servers when the enhanced spellcheck feature was enabled.

Depending on the websites you visit, the leaked information could include username, password, address, date of birth, social security number (SSN), bank and payment information, and more.

While both the features are turned off by default, it’s concerning how easy are these to enable and most users enable them without realizing what’s happening in the background.

Who Is at Risk?

otto-js identified the top five online services that are at risk from this security flaw. They include Alibaba’s Cloud Service, Office 365, AWS Secret Manager, Google Cloud Secret Manager, and LastPass. Both AWS and LastPass have reportedly mitigated the issue, while Google has addressed it for some of its services.

However, it isn’t enterprise users alone that are at risk. otto-js tested more than 50 websites that people frequently use and which have access to sensitive information. It broke 30 of those websites into six categories and selected the top five websites per category to create a benchmark of the frequency and intensity of the exposure. The six categories include:

Online Banking Healthcare Cloud Office Tools Government Social Media E-Commerce

In the control group of 30 websites tested, otto-js found that around 97 percent sent sensitive user data back to Google and Microsoft when the spellcheck features were enabled.

Furthermore, over 73 percent of the websites sent passwords to the companies when users clicked “show password.”

This presents a significant security concern for enterprise credentials and client-side security.

How to Mitigate Spell-Jacking

The best way to protect your login credentials is by using a secure password manager, a good antivirus program, and encrypting your traffic with a VPN. However, normal cybersecurity practices aren’t enough in this case.

One way to minimize the exposure for companies is to include “spellcheck=false” to input fields that require personal information. This will effectively block those fields from spellchecking tools, meaning that spellchecking will be disabled for those entries.

Another way companies can mitigate the impact of spell-jacking is by disabling the “show password” feature for users. This won’t stop spell-jacking, but it will prevent users’ passwords from being sent.

Companies can also implement endpoint security solutions that can disable spellcheck features and prevent their employees from installing compromised browser extensions.

For individual users, here’s how you can disable the enhanced spellchecking feature in Chrome and Edge browsers:

Google Chrome

The easiest way to protect your personal data from being sent to Google is by removing the enhanced spellchecking feature for the time being. You can disable the feature in your Chrome settings by performing these steps:

Click the three dots in the top right corner of your browser and select Settings. Scroll down and click Advanced to view additional settings. Select Languages from the options that appear on the left of the screen. Under the Spell Check section, uncheck the Enhanced Spell Check option.

You can also access the page by simply pasting the following link into your browser’s address bar and pressing Enter:

Microsoft Edge

For Microsoft Edge users, the spellchecker comes as a browser add-on. To remove the extension from your browser, right-click the icon of the extension and choose “Remove from Microsoft Edge.”

If you can’t find the icon on your browser’s homepage, you can go to the extensions library and remove it from there. Simply click “Extensions” to the right of the browser address bar to find extensions. Select “More actions” next to the extension you want to remove and click “Remove from Microsoft Edge”.

And that’s how you keep your personal data safe for the time being.