You must beware! Browser spell-checking features could put your personal data at risk


Both Google Chrome and Microsoft Edge offer an enhanced spell checker feature that automatically detects and corrects misspelled words. While this feature may seem useful and convenient, recent research shows that it can pose serious privacy risks.

When manually enabled, Chrome’s enhanced spell checker and Microsoft editor send your form data back to their parent companies, which is essentially correcting the spelling of the data.

What is Spell Jacking?

Spell-jacking refers to the exposure of personally identifiable information (PII) through the enhanced spell check feature in Chrome and Microsoft Editor.

Search by JavaScript Security Company otto js found that all data entered into any form field was transmitted to third-party servers from Google and Microsoft when the enhanced spell check feature was enabled.

Depending on the websites you visit, the information disclosed may include username, password, address, date of birth, social security number (SSN), banking and payment information, etc. .

Although both features are disabled by default, it’s all about how easy they are to enable and most users enable them without realizing what’s going on in the background.

Who is at risk?

otto-js has identified the top five online services threatened by this security breach. They include Alibaba’s cloud service, Office 365, AWS Secret Manager, Google Cloud Secret Manager, and LastPass. AWS and LastPass reportedly mitigated the issue, while Google fixed it for some of its services.

However, it’s not just enterprise users who are at risk. otto-js has tested over 50 websites that people use frequently and have access to sensitive information. He divided 30 of these websites into six categories and selected the top five websites per category to create a benchmark of frequency and intensity of exposure. The six categories include:

  1. Online banking
  2. Health care
  3. Cloud office tools
  4. Government
  5. social media
  6. E-commerce

In the control group of 30 websites tested, otto-js found that around 97% returned sensitive user data to Google and Microsoft when spell-checking features were enabled.

Additionally, more than 73% of websites sent passwords to businesses when users clicked “Show Password.”

This presents a significant security issue for enterprise credentials and client-side security.

How to Mitigate Spell Hacking

The best way to protect your login credentials is to use a secure password manager, a good antivirus program, and encrypt your traffic with a VPN. However, normal cybersecurity practices are not enough in this case.

One way to minimize exposure for businesses is to include “spellcheck=false” in input fields that require personal information. This will effectively block those fields from spell checking tools, meaning that spell checking will be disabled for those entries.

Another way companies can mitigate the impact of spell-jacking is to disable the “Show Password” feature for users. It won’t prevent spelling, but it will prevent users’ passwords from being sent.

Companies can also implement endpoint security solutions that can disable spell checking features and prevent their employees from installing compromised browser extensions.

For individual users, here’s how to disable the enhanced spell check feature in Chrome and Edge browsers:

Google Chrome

The easiest way to protect your personal data from being sent to Google is to remove the enhanced spell check feature for the time being. You can disable the feature in your Chrome settings by doing the following:

  1. Click it three points in the upper right corner of your browser and select Settings.
  2. Scroll down and click Advanced to display additional settings.
  3. Select Languages from the options that appear on the left side of the screen.
  4. Under the Spell check section, uncheck the Improved spell check option.

You can also access the page by simply pasting the following link into your browser’s address bar and pressing Enter:


Microsoft Edge

For Microsoft Edge users, the spell checker is a browser add-on. To remove the extension from your browser, right-click the extension icon and choose “Remove from Microsoft Edge”.

If you can’t find the icon on your browser’s homepage, you can go to the Extensions Library and remove it from there. Just click “Extensions” on the right of the browser address bar to find extensions. Select “More actions” next to the extension you want to remove and click “Remove from Microsoft Edge”.

And that’s how you protect your personal data at the moment.


Comments are closed.