Your Spellchecker Might Have Leaked Your Passwords

This post is more than a year old. The contents and recommendations in this blog could be outdated.

If you have ever been uncertain whether a word is spelled correctly, a feature that automatically detects typos can be a lifesaver. Whereas a seemingly innocent spell-checking tool might not raise any red flags, convenience and confidentiality are regrettably not always compatible online.

This unpleasant side of spellchecking tools was exposed by a recent incident involving Google Chrome and Microsoft Edge. Both browsers’ enhanced spell-check features send any data that is entered into form fields to Google and Microsoft. Accordingly, the exposed information might include your name, phone number, address and even your password.

This article explains the privacy shortcomings of Chrome’s Enhanced Spellcheck and Edge’s MS Editor and what you can do to keep your data safe.

The risks of these tools

You may already be familiar with Chrome and Edge's basic spell-checking tools, which are enabled by default and often go unnoticed by users. Luckily, these built-in tools are nothing to worry about. However, both browsers offer "enhanced" spell-checking alternatives that can identify misspelled words more accurately, thanks to the significantly higher amount of data they have at their disposal. While this statement about the tool’s higher accuracy may be true, it does beg the question of where all this additional data comes from. The answer is simple: from everyone who has Enhanced Spellcheck, or MS Editor enabled.

By enabling these features, you simultaneously authorize the browsers to transmit the information you enter into form fields to their respective companies (Google and Microsoft). Although this transmission of your data is a well-intended function of these tools, it still raises concerns about the fate of the forwarded information and how safe this practice is.

These worries were proven legitimate when Otto Javascript Security (otto-js) recently exposed the concerning extent of information these spell-check functions extract from their users: The tools have the potential to reveal personally identifiable information (PII) from some of the most popular platforms and applications (such as Office 365, Google Cloud and Alibaba). Therefore, this phenomenon, often called spelljacking, offers a severe security risk to your sacred data, including your full name, date of birth, social security number, payment details, and passwords.

How to protect your data

While a person exposing your data without your consent is frightening, luckily, there are some measures you can take to protect yourself from spelljacking.

Disable Enhanced Spellcheck and MS Editor

While a specialized spellchecker is a handy tool for writing all kinds of texts, given the security flaws discovered in Enhanced Spellcheck and MS Editor, it is recommended to use an alternative instead, at least until the developers figure out a way to address these issues.

Thus, one of the most obvious ways to protect yourself from having your personal information sent to Microsoft and Google is to disable the Enhanced Spellchecker. Luckily, this is an effortless procedure that can be done via Chrome’s settings. Simply navigate to chrome://settings/syncSetup and uncheck the box labeled “Enhanced Spellcheck.”

Uninstalling MS Editor on Microsoft Edge is equally simple. By navigating to the tool’s page on Edge-Add-Ons, you can easily remove it by clicking on the blue button next to its name.

Use passwordless login methods to protect your account

The most foolproof way of protecting your password is simply not having one. Accordingly, it is strongly advised to confirm your identity via a passwordless method (such as Biometrics, a physical token, or a One-time-password) whenever a platform allows you to do so. While this measure alone does not keep the enhanced spell-checking tools from transmitting all the other information you enter into form fields, at least your account remains safe from unwanted access.

Liked it? Share it!