Published: April 28, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
Amid growing concerns about big tech already having too much of our personal information, Otto-JS found using spell-check in Google Chrome or Microsoft Edge browsers sends your PII to those companies. Aside from login data, PII like email and physical addresses, Social Security numbers, financial data, birth date and more are also sent when filling-out forms online, including on cloud-based apps used for business.
It's Called “Spell-Jacking”
Otto-JS researchers named this data security threat “spell-jacking.” They also find that enterprise PII is vulnerable since several widely used enterprise apps also spell-jack, including Microsoft 365, Amazon Web Services, Google Cloud, LastPass, and Alibaba. For a business, using these apps for spelling and grammar checking can spell d-i-s-a-s-t-e-r should their sensitive data end up being sold or abused.
Password Peeking Problem
Passwords in particular can be at risk when signing-in to an app or other software program. Login pages offering the option to view the typed-in password often display the “eye icon” to click on or off. It’s important to remember that opting to see the password automatically sends it for review by Google, Microsoft, and the others.
Using spell-check shouldn’t put PII at risk, but for now, that’s the way it works. Big tech should have our backs when it comes to data privacy. But as the headlines continue to spell out the never-ending data breaches, we know PII protection falls to the individual and not to those who collect it.
What You Can Do
The researchers found Google’s built-in “Enhanced” spell-check and Microsoft Edge’s browser extension “Microsoft Editor: Spelling & Grammar Checker” are both guilty of sending PII for spell review. Google Enhanced users can disable the option in the browser, and Microsoft’s option is a downloaded extension that can be removed.
It's important to remember that all extensions, according to Kaspersky, “Even extensions that are not malicious can be dangerous. The danger arises because most extensions have the ability to collect a lot of data about users.” So, before you download an extension, do research and check user reviews if available. If you have browser extensions that you aren’t using, disable them, or get rid of them altogether.
Ultimately, it’s up to the user, employee, or enterprise to decide if the benefits of using extensions are worth the potential risks.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org