spell-jacked

You’ve probably heard someone say something along the lines of “spell checkers have killed our ability to spell” within the past decade. Whether that’s true or not is a debate for another day. But it highlights that spell checkers and autocorrection are extremely popular, and practically every device with a screen and a keyboard includes one.

Some web browsers even ship with their own spell checking components. Just trying to be helpful, right?

What if I told you that these spellcheckers transmitted your form data (i.e., any text entered in a web form on a website) to the browser vendor? Not so helpful anymore…

That’s spell-jacking: spell checker software transmitting personal information to big tech without your knowledge or consent.

This post looks at what spell-jacking is, how it works, and how to mitigate the issue.

What is spell-jacking?

It’s important to note that spell-jacking isn’t an online attack. It’s a bug or a design flaw, but one that can have the same consequences as an attack.

The issue commonly arises from a bug in how Google Chrome and Microsoft Edge implemented Chrome’s Enhanced Spellcheck and Microsoft Editor, respectively.

Both Google Chrome and Microsoft Edge ship with basic spellcheckers enabled. These are innocuous and don’t transmit any data. However, users have the option of enabling the vendors’ enhanced spellchecker, named above. These are the culprits.

If you’ve enabled Enhanced Spellcheck in Chrome or Microsoft Editor in Edge, you’re sharing your form data with Google or Microsoft. It happens regardless of which site you visit. As long as there’s a form, they can see your text.

The practice is especially concerning on government or banking sites that require you to enter your Social Security Number (SSN) or your Social Insurance Number (SIN), your name, address, date of birth, email address, contact info, account numbers, etc.

It’s indiscriminate. Your data belongs to the maker of your browser as soon as text is entered into a web form. This even applies to password fields. Although thankfully, there’s an additional hoop to jump through for that to happen.

Many password fields obfuscate your entered password as you type, converting your password to ●●●●●●●●. Sometimes, you may think you mistyped something, so you click on the “show password” button to reveal what you entered. As soon as that button is clicked, the dots turn to text, and your password is sent to Google / Microsoft.

Josh Summitt, co-founder & CTO of JavaScript security firm otto-js, discovered the bug. He explains in a blog post, “Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company’s enterprise credentials to internal assets like databases and cloud infrastructure.”

The screenshot below, taken from ott-js’ blog, shows the password from the Alibaba login page being transmitted to Google. It also shows that the issue stems from a bug. We can see on the bottom right (the server response – i.e., Google) that the text was transmitted to perform spell checking, as evidenced by the “suggestion” for proper spelling in the response. The “show password” button was clicked to trigger the transmission of the password.

Spelljacking - 1

To address the issue, Google made the following statement:

“The Enhanced spell check feature requires an opt-in from the user. The text typed by the user may be sensitive personal information, and Google does not attach it to any user identity and only processes it on the server temporarily. To further ensure user privacy, we will be working to exclude passwords proactively from spell check. We appreciate the collaboration with the security community and are always looking for ways to better protect user privacy and sensitive information.”

The issue was tested using login credentials, and was found to be present on the following major websites:

  • CNN – Transmitted username and password when ‘show password’ was clicked
  • Facebook.com – Transmitted username and password when ‘show password’ was clicked
  • SSA.gov (Social Security Login) – Only the username field was transmitted
  • Bank of America – Only the username field was transmitted
  • Verizon – Only the username field was transmitted

So, how did SSA.gov, Bank of America, and Verizon only transmit the username even though the “show password” button was clicked? Let’s talk about mitigations, and it’ll become clearer.

How to mitigate spell-jacking?

Server-side

‘spellcheck=false’

Organizations can mitigate the risk of their users’ personal information by adding the ‘spellcheck’ HTML attribute and setting it to false: ‘spellcheck=false.’ The attribute can be set on all input fields to prevent spell-jacking altogether. Or it can simply be added to the most sensitive fields, like the password field. That’s what SSA.gov, Bank of America, and Verizon did. And that’s why passwords were not transmitted even when the ‘show password’ button was clicked. 
 Spell-jacking - spellcheck_false

Website administrators should add the ‘spellcheck=false’ to all input fields of their site(s). Or, at the very least, set the attribute on the password field. It should also be noted that if the ‘spellcheck’ HTML attribute is left out, web browsers will typically assume that it’s set to true by default.

As a somewhat ironic side-note, while we’re on the subject, Twitter’s login password field had the ‘spellcheck’ attribute explicitly set to ‘true’ at the time of writing. Here’s to hoping the “new” Twitter takes care of that.

Spelljacking - Twitter_spellcheck_true

Client-side

As a user, you don’t need to cross your fingers and hope the websites you frequent set the ‘spellcheck=false’ attribute. You can take steps to disable that behavior if you enabled it in the past.

One simple thing you can do without touching anything is to avoid clicking the ‘show password’ button. It won’t prevent spell-jacking, but it’ll at least prevent your passwords from being transmitted.

Below are detailed steps to disable Microsoft’s Edit add-on and Google’s Enhanced spell check.

Microsoft Edge

First, if you know you haven’t installed the Microsoft Edit add-on, don’t. And you’re done.

If you’re not sure whether or not you installed it, here’s how you can check:

  1. In Microsoft Edge, click Extensions from the right side of the address bar. This displays the list of installed extensions/add-ons.
  2. If you did install it, here’s how to remove it. There are two methods:

Method 1

  1. In Microsoft Edge, right-click the Edit add-ons icon to the right of the address bar.
  2. Select Remove from Microsoft Edge > Remove.

Method 2

  1. In Microsoft Edge, from the right side of the address bar, click Extensions and then More actions next to the Edit add-on.
  2. Select Remove from Microsoft Edge > Remove.

Google Chrome

To check if enhanced spell check is enabled in Google Chrome:

  1. Copy and paste the following URL in Chrome’s address bar: chrome://settings/?search=Enhanced+Spell+Check.
  2. That will display the spell check options (pic) (caption). Google informs users that enhanced spell check will transmit whatever they type to Google’s servers).
  3. If Enhanced spell check is selected, select Basic spell check.

Wrap up

So that’s spell-jacking, in a nutshell. It’s not an attack. It’s a design flaw or unintended behavior. But it’s still serious. Very serious. Design flaws can have the same consequences as online attacks. And it also goes to show that in a tech-driven, connected society, you can’t take your online security or privacy for granted.

As we’re all voluntary or involuntary techies, we need to keep up with what’s happening in the tech world by reading articles like this one and others. It could well save your passwords from being transmitted to big tech (or small tech).

Either way, stay safe.