In a control group of 30 websites, including some of the largest websites in the world, the research team at cyber security firm otto-js, found that 96.7 percent of those websites sent data with Personally Identifiable Information (PII) back to Google and Microsoft when enhanced spell check features in Chrome and Edge were enabled. Of those websites tested, 73 percent sent passwords when “show password” was clicked, presenting a significant security concern for company databases, cloud infrastructure and enterprise credentials. Given that a single breach can costs US businesses up to $10 million on average, this latest research just goes to show how important it is to keep your cyber security measures constantly up to date. Here’s what we know. Research, conducted by security firm otto-js, found that in cases where Google Chrome’s Enhanced Spell checker, and the Microsoft Edge equivalent (Edge Editor) were enabled, all information entered in any form field, including usernames, DOB, SSN and passwords (via the ‘Show Password’ field) were transmitted to Google and Microsoft third-party servers, potentially exposing your data. While it’s unclear whether the data collected by spell check is done so securely, one thing we do know is that the best way to secure your passwords is to keep it hidden. Otto-js recommend website owners add “spellcheck=false” to all input fields to reduce the risk of sharing PII, and removing the ability to ‘show password’ to prevent user passwords from being sent. Though implementing endpoint security solutions to disable enhanced spell check features may be your best bet. The only upside with spell-jacking is that it in order to be at risk, users would need to manually enable the enhanced spell checker feature for it to be functional. Unfortunately it’s very easy to enable, meaning users could have it running in the background without realising so its best to act preventively and be vigilant.
