An analysis by JavaScript security firm Otto-JS found that some extended spell checking features added to Google Chrome and Microsoft Edge are causing data leak. They transmit form data, including Personally Identifiable Information (PII) and, in some cases, passwords, to the owner of the respective web browser.
Read more: How to prevent the leakage of personal data by applications?
see more
Experts say AI is a force for good
Mother registers daughter named Barbie and son was almost named Ken
Finding the Data Leak
It was Josh Summitt, co-founder and CTO of Otto-JS who figured this all out and warned that these spell check features are often active even if users are unaware.
Both browsers have built-in basic spell checking enabled by default and do not transmit data back to Google or Microsoft. However, Chrome's 'Enhanced Spellcheck' extension and Edge's 'Microsoft Editor' are optional add-ons.
That said, users need to explicitly consent, and while it's obvious that their data will be sent back to both companies to improve the product, it's not so obvious that this might include your PII.
Access to all data online
The security firm said that Chrome and Edge working together with most text fields on a webpage can access "basically anything".
This means that all data entered online, including your date of birth, details of payment, contact information, logins and passwords can be sent back to Google browsers and Microsoft.
Summitt even said that if the "show password" option is enabled, the resource will still be sent to third-party servers. Bleeping Computer reports that it discovered that Chrome was used to transmit usernames to SSA.gov, Bank of America and Verizon, and the passwords were also exposed to CNN and Facebook in that manner.
What would be the solution?
One way to minimize exposure is for web developers to include a detail called “spellcheck=false” in all input fields that might require sensitive information.
Thus, this will effectively block these fields from spell checkers in browsers, although it will mean that spell checking will be disabled for these entries.
On the user side, temporarily disable the enhanced spell checker or remove it entirely from the browser seems to be the only way to protect your data, at least until one of the companies revises their privacy policy. privacy.