Personal Data Is More Threatened When Using Google And Microsoft's Enhanced Spellcheck Features

JAKARTA - The additional spell check feature or Enhanced Spellcheck may be very useful to ensure that there are no typos, but in fact this feature can endanger users' personal data.

Google Chrome and Microsoft Edge browsers are known to have the Enhanced Spellcheck feature, but amid the convenience when using them, there is a risk that users' personal data can also be spread widely.

Researchers from JavaScript security company otto-js made a discovery that might make us think twice about using the Enhanced Spellcheck tool in both browsers.

By enabling the tool, then everything typed on any website will be sent to Google for spell checking.

Co-founder and CTO of otto-js, Josh Summitt explains almost everything a user enters on a form and with the Enhanced Spellcheck feature enabled the information is transmitted to Google and Microsoft.

"While researching data leaks in different browsers, we found a combination of features that once enabled, there is no need to expose sensitive data to third parties such as Google and Microsoft," said Summit as quoted from Beta News, Tuesday, September 20.

"If 'show password' is enabled, the feature even sends your password to their third party server. If you click 'show password', the enhanced spell checker even sends your password, basically they hijack your spelling data," he added.

This means that any data you enter online, including your date of birth, payment details, contact information, and login credentials, can all be sent back to Google and Microsoft.

According to Summit, what's worrying is how easy it is to activate and most users will activate this feature without actually realizing what's going on in the background.

Summit also explained that some of the world's largest websites have access to send Google and Microsoft sensitive users PII (Personally Identifiable Information), including usernames, emails and passwords, when users log in or fill out forms.

This issue affects a number of major websites and services, including Office 365, Alibaba Cloud Service, and Google Cloud Secret Manager. LastPass and AWS Secrets Manager were also found to be affected, but these companies have now implemented mitigations.

Meanwhile a Bleeping Computer report found also transmissions of usernames to SSA.gov, Bank of America, and Verizon, using Chrome, with passwords also exposed to CNN and Facebook only when show password was enabled.

To prevent this, users can temporarily disable the Enhanced Spellcheck feature or remove it completely from the browser. This is the only way to protect users' personal data, at least until one of the companies revises its privacy policy.