Spell-Jacking
skip to main content

CBWY Blog

Spell-Jacking

Your browsers spell check is collecting your personal information.

Spell-Jacking

Spell check is a feature used by countless people in their everyday typed communication.  It’s accuracy ensures the number of typos in your documents decrease; this allows people to type with ease.  Most people install spell check extensions to make sending emails and writing papers faster.  However a new study shows that spell check extensions on your browsers are collecting your personal information, such as username, email, date of birth, Social Security number, and passwords essentially Spell-Jacking your information.

Body:  Spell check is a feature used by countless people in their everyday typed communication.  It’s accuracy ensures the number of typos in your documents decrease; this allows people to type with ease.  Most people install spell check extensions to make sending emails and writing papers faster.  A new report from Otto-js co-founder and CTO Josh Summit has revealed that spell check extensions might not be safe. This report shows that spell checking features present in both the Google Chrome and Microsoft Edge browsers are leaking sensitive user information. 

Otto-js co-founder and CTO Josh Summit discovered the leakage that occurs specifically when Chrome's Enhanced Spellcheck and Edge's MS Editor are enabled on browsers.  Josh’s discovery came while conducting research on how browsers leak data in general.

According to the blog “Google & Microsoft can get your password via your browser enhanced spellcheck”  published on otto-js website, the spell check features sends data to Google and Microsoft that is entered into form fields.  Username, email, date of birth, and Social Security number, were among the information that was sent while using Google Chrome and Microsoft Edge.  Passwords were sent to Google and Microsoft’s third party servers, if 'show password' is enabled, essentially Spell-Jacking your data. Josh Summit is quoted in the blog post “Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Password”  

 “While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft.  What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background."

 

It is not known if the data is being stored once it is received or who is managing its security. However, it raises concern among researchers about tech companies having so much access to sensitive information including passwords.  

To lower the risk of having your data sent to Microsoft and Google disable the spell check feature. If you have manually enabled the spell check feature on your browser, you can turn if off by removing the extension. If you have enabled the native spell check feature present on Google Chrome or Microsoft Edge, you can turn it off from the settings.

How to disable Spell Check in Chrome

  1. Go to the settings for Google Chrome.
  2. Click the Menu icon at the top right corner of the browser. This is represented by 3 horizontal lines.
  3. Click Settings.
  4. Click Show advanced settings, if you don’t see Language on the left,
  5. Click Language and go to spellcheck section.
  6. Make sure the check box next to Enable spell checking is unchecked, and then click Done or exit setting box.

How to disable Spell Check in Microsoft Edge

  1.  On the top right of the screen after launching Edge, click on the … (3 dots). 
  2. Click on Languages.
  3. Under the "Check spelling" section, turn on/off the toggle switch for the languages that you want Microsoft Edge to check spelling while you're typing.

Quick tip: If you wish not to use the spell checker, turning off the toggle switch for all the languages will disable the feature.

At Commerce Bank of Wyoming, online security is more important than ever before. Rest assured, protecting your personal information is one of our top priorities. We are committed to providing you with the tools, tips and resources you need to keep your information safe and secure. Visit our Online Security Center to learn more.

References:

otto-js Research Team (2022, September 16) “Google & Microsoft can get your password via your browser enhanced spellcheck” Retrieved, September 22, 2022 from,  https://www.otto-js.com/news/article/spell-jacking-enhanced-spellcheck-features-send-pii-even-passwords

otto-js Research Team (2022, September 16) “Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Password” Retrieved, September 22, 2022 from,  https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords

Elizabeth Montalbano, Contributor, Dark Reading, (2022, September 20)  “Spell-Checking in Google Chrome, Microsoft Edge Browsers Leaks Passwords” Retrieved, September 22, 2022 from, https://www.darkreading.com/application-security/spellchecking-google-chrome-microsoft-edge-browsers-leaks-passwords

There is a Difference.
Commerce Bank of Wyoming is committed to website compliance with the Americans with Disabilities Act.
We strive to make our site useful and accessible to everyone. If you have questions or comments regarding the website please contact us.
copyright © 2004-2024 Commerce Bank of Wyoming. All rights reserved. / sitemap / Admin Login
top
^