What is the spell-jacking vulnerability and how can your business avoid exposing data?

Somebody typing at their computer with a digital padlock and other illustrations
(Image credit: Shutterstock)

It isn't only professional writers who rely on spell-checkers to guide them through the day. Your web browser, smartphone, email client and other platforms often make suggestions and automatic corrections with high regularity. Putting the debate around over-reliance on such tools to one side, there’s a growing cyber security threat involving spell-checking – which is where spell-jacking comes in.

Josh Summitt, CTO at a security company specialising in JavaScript monitoring and analysis, Otto, was testing out script behaviour detection when they realised something was amiss when it came to enhanced spell-checking in Google Chrome and Microsoft Edge. The behaviour in question is transmitting personally identifiable information to those companies. This is a privacy issue – and one that becomes relevant when you enter the realm of enhanced browser spell-checking, as opposed to the basic spell-check functionality enabled by default in both Chrome and Edge.

If you enable the enhanced spell-check function, then it’s made clear “text that you type in the browser is sent to Google”. As for Microsoft Edge, when you install the Microsoft Editor extension, providing enhanced spelling and advanced grammar checking (for Microsoft 365 subscribers), it’s clearly stated it can “read and change all your data on all websites”. This is shown before you add the extension and in the extension settings afterwards. Indeed, when it comes to the Microsoft Editor extension, you can choose to allow that reading ability on all sites, selected sites, or just when you click the extension icon to activate it.

Browser add-ons include such warnings as they need to be able to analyse inputs to provide the functions you’ve installed them for. There are always links to privacy statements to be found, sometimes requiring a bit of a search, but they should be there. If they’re not, then run away. However, this all comes under the broad heading of “privacy matters”, so what’s the issue with spell-jacking and security?

What is spell-jacking and how does it work?

Last year, Otto’s research team published a report to explain spell-jacking in more detail. This concerns pretty much anything entered into form fields, as well as site logins from a browser. “If ‘show password’ is enabled,” Otto co-founder and CTO Summitt wrote, “the feature even sends your password to their third-party servers.” That’s the real spell-jacking danger Summitt says “exposes sensitive data to third parties like Google and Microsoft”.


Nine steps to proactively manage data privacy and protection

Build trust with your employees, customers, and third parties


According to Summitt, five big online services were tested and found to be vulnerable when it came to exposing business data in this way. Of these, two have, at the time of writing, already fully mitigated the issue: Amazon’s AWS and password manager LastPass, the first to respond and fix. Christofer Hoff, the chief secure technology officer at LastPass, says it’s disconcerting that customers could “inadvertently expose confidential data by enabling innocuous browser features”.

The problem is when two usability features collide: enhanced spell-checking and password field display. “Websites that provide the option of displaying passwords in cleartext are more usable, especially for those with disabilities,” Walter Hoehn, Otto’s VP of engineering, says, “it’s when they are used together that the actual password exposure happens.”

That exposure is potentially widespread. During the research, some 30 control group sites across online banking, cloud office tools, healthcare, government, social media, and e-commerce were tested. In those tests, 96.7% of these organisations sent personal data to Google and Microsoft, while 73% sent passwords when the “show password” option was clicked. The remaining 27% hadn’t actually mitigated the issues: they simply didn’t have a show password option. Equally interesting, the report states that Google itself was the only control site tested that had mitigated the issue “for email and some services,” although some others, such as Google Cloud Secret Manager, had not, at the time of testing.

A Google spokesperson says it appreciates “the collaboration with the security community, and we are always looking for ways to better protect user privacy and sensitive information”. The spokesperson makes it clear when it comes to text typed by a user: “Google does not attach it to any user identity and only processes it on the server temporarily.” The same statement continues to confirm that Google is working on excluding passwords proactively from the spellcheck function.

While Microsoft had yet to issue a formal statement at the time of writing, I understand that it, too, is investigating the issue. You can find its privacy statement here.

How do you mitigate spell-jacking threats?

The most obvious mitigation is don’t enable enhanced spell-checking in either browser if the potential security implications outweigh the user convenience. As far as Microsoft Editor is concerned, as I mentioned previously, you can restrict the extension to only being active on specific sites or when you click the icon.

The Otto report suggests that companies can add “spellcheck=false” to all input fields, and use endpoint solutions to disable enhanced spellcheck features.

If you want to check if your browser has this functionality activated, in Chrome head for Settings | Languages | Spell check (or type “chrome://settings/?search=Enhanced+Spell+Check” in the address bar) and for Edge you should check your installed extensions and Settings | Languages| Use writing assistance.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.