Spell-Jacking: Chrome and Edge Web Browsers Leaking Sensitive Information

BACKGROUND
Researchers have found that add-on spellchecking features added to popular web browsers Google
Chrome and Microsoft Edge have been leaking sensitive information back to their parent companies
Google and Microsoft respectively. The transmitted data includes Personally Identifiable Information
(PII) such as name, address, email, date of birth, contact information, bank and payment information,
username and passwords.
Both browsers have basic built-in spellcheckers enabled by default, which do not transmit data back
to Google or Microsoft. However, Chrome's 'Enhanced Spell Check" and Edge's 'Microsoft Editor' are
manually enabled by the user.
 

IMPACT

  • Data Leakage
  • Exposure of personal information

 

RECOMMENDATIONS

Web developers to include “spellcheck=false” to any input fields that may require sensitive
information, in order to effectively block out fields from spellchecking tools. This will mean that
spellchecking will be disabled in these entries.

Temporarily disable enhanced spellcheckers or remove it entirely from the browser

  • Microsoft Edge

Turn off the Writing Assistance Setting

1. Go to Settings.
2. Click Languages.
3. Under Use Writing Assistance, toggle it off.

  • Google Chrome

1. Go to chrome://settings/languages
2. To disable "Enhanced Spell Check" in Chrome, select Basic spell check or toggle off Spell
Check.

After turning off these add-on spell check features, it is advisable to change your online passwords