Recent investigations by the otto-js research team have found that data being checked by both Microsoft Editor and the enhanced spell checker settings within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, date of birth, SSN, and basically anything you type into a text box that these functions check for.

As an additional note, even passwords can be submitted using these functions, but only when the “Show Password” button is pressed, which converts the password to visible text, which is then verified.

The key issue is resolved around the user’s sensitive Personally Identifiable Information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure. In the images below shared by otto-js, you can see a user logging into Alibaba Cloud, and their data is shared with Google.

Some companies are already taking steps to prevent this, and the security teams at AWS and LastPass confirm that they have mitigated this with an update. The problem has already been dubbed ‘spell spell’. Most worryingly, these settings are so easy for users to enable and could result in data being exposed without anyone noticing.

The otto-js team tested 30 websites, across a variety of industries, and found that 96.7% of them were sending PII data to Google and Microsoft.

Interestingly, the only website that mitigated the problem for this group was Google itself, but only for some services and not all of its products that were tested. The otto-js research team currently recommends that these extensions and configurations not be used until this issue is resolved.

Source: otto-js research team