Recent research by the otto-js research team found that data verified by both Microsoft Publisher and Google Chrome’s enhanced spellcheck setting is sent to Microsoft and Google, respectively. This data can include usernames, emails, date of birth, SSN, and basically anything typed into a text box checked by these features.
Additionally, even passwords can be sent by these features, but only when a “Show Password” button is pressed, which converts the password to visible text, which is then verified.
The key issue resolves around the user’s sensitive personally identifiable information (PII), and this is a major concern for enterprise credentials when accessing databases internal and cloud infrastructure. In the images below shared by otto-js, you can see a user logging into Alibaba Cloud, with their data being shared with Google.
Some companies are already taking steps to prevent this, with AWS and LastPass security teams confirming they’ve mitigated this with an update. The problem has already been called “spell-jacking”. What is most concerning is that these settings are so easy for users to enable and could lead to data exposure without anyone noticing.
The otto-js team conducted a test of 30 websites, in various industries, and found that 96.7% of them returned data with PII to Google and Microsoft.
Interestingly, the only website that mitigated this group’s problem was Google itself, but only for certain services and not all of its tested products. At this time, the otto-js research team recommends against using these extensions and settings until this issue is resolved.
Source: otto-js research team