Chrome, Edge Enhanced Spelling Features Are Exposing Your Personal Information

pcmag.com:

A serious security flaw has been discovered in Google Chrome and Microsoft Edge which allows personal information, including passwords, to be shared in cleartext with third-parties.

As TechRadar reports(Opens in a new window), the flaw was discovered by JavaScript security firm otto-js and is referred to as "Spell-Jacking(Opens in a new window)." The problem stems from the use of Chrome's Enhanced Spellcheck and Edge's Microsoft Editor features, both of which a user can opt to enable, but are turned off by default. In the case of the Microsoft Editor, it takes the form of an add-on(Opens in a new window) you need to install.

When they are enabled, the user is informed that data will be sent to Google and Microsoft. This is typical, as all companies like to collect usage statistics and data to help improve how a feature performs. However, in this case the personal information being entered by a user into either browser is also being shared in cleartext. This can include username, password, email address, date of birth, social security number, payment details, and the list goes on.

As Josh Summit, co-founder and CTO of otto-js explains, in the case of Chrome's Enhanced Spellcheck, "If 'show password' is enabled, the feature even sends your password to their 3rd-party servers. While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft. What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background."

Otto-js listed the top five online services used by enterprise companies that are at risk