Is Copilot the best AI companion out there? Help us find out by answering a couple of quick questions!
If you are using the enhanced spellcheck features of Edge and Chrome, it is time to quit them as a new report shows the capability can actually send your form data to the tech giants that own the said browsers. (via Bleeping Computer)
When activated, the features can send data to Microsoft and Google. The information that will be transmitted depends on the form you are filling out on specific websites, which means the more info you share and fill form fields, the more data could be sent to the companies when the enhanced spellcheck features are activated. For instance, a website you are visiting might require you to provide your personally identifiable information (PII), such as your full name, home address, email address, Social Security Number, passport number, driver’s license number, credit card numbers, date of birth, and more. Worse, your passwords could also be transmitted to Microsoft and Google, according to the otto-js Research Team, calling the process “Spell-jacking” that “violates a fundamental security principle of ‘need-to-know’ and could be considered a violation of privacy.”
Spell-jacking can happen on all websites as long as you are using Edge and Chrome and you have their enhanced spellcheck features working. To prove it, otto-js shared how it happened when they logged into the company’s Alibaba Cloud Account using the employee credentials (specifically the password), which were later sent to Google. Further, otto-js shared a video demonstration showing how spell-jacking exposes a company’s cloud infrastructure, including servers, databases, corporate email accounts, and password managers.
“The video uses a common scenario in the workplace to illustrate how easy it is to enable the browser-enhanced spellcheck features and how an employee could expose the company without ever knowing it,” otto-js adds. “Most CISOs would be extremely alarmed to learn that their company’s administrative credentials were unwittingly shared in cleartext with a third party, even one they generally trust.”
Aside from keeping Chrome’s Enhanced spell check feature and Edge’s Microsoft Editor Spelling & Grammar Checker browser addon untouched and deactivated, otto-js said there are additional ways the spell-jacking problem could be prevented by companies through the addition of “spellcheck=false.”
“Companies can mitigate the risk of sharing their customers’ PII – by adding ‘spellcheck=false’ to all input fields, though this could create problems for users,” suggests otto-js. “Alternatively, you could add it to just the form fields with sensitive data. Companies can also remove the ability to ‘show password.’ That won’t prevent spell-jacking, but it will prevent user passwords from being sent. Companies can also use client-side security software like otto-js to monitor and control third-party scripts.”
The security firm said it is unknown if the data transmitted to Microsoft and Google are being stored or how they are managed. Microsoft still hasn’t released any comment about it, but a Google spokesperson told BleepingComputer that “Google does not attach it to any user identity and only processes it on the server temporarily.”