Chrome Harvests Identity Information
If you have Google Chrome’s Enhanced spell checking manually turned on, your private data such as passwords, and other information are transmitted to Google. It is an add-on that needs to be manually installed in order for this to take place. The analyst at otto-js security firm dubbed the attack vector as ‘Spelljacking’ and expressed concern for Internet users’ safety.
However, it is still possible to use a spell checker but it must be the enabled default spell checker that is already automatically enabled on the Google browser.
In April 2017, Google announced that users of Chrome could enable spellcheck in other languages. This added capability provided extra unwanted features, such as the transmission of form data with Personally Identifiable Information (PII). This unique feature posed a detrimental problem as transmitted sensitive data also includes login information such as passwords.
The intended feature was created to improve the experience of Chrome users, but it does raise concerns about the safety of the inputted private data. The Cyber analyst warned consumers of the problem, as it is difficult to ascertain what happens to the data after transmission, and how safe the practice might be, especially when it comes to password fields.
Google Chrome comes with basic spellcheckers already enabled which is relatively safe. However, the danger arises if you manually enable Chrome’s Enhanced Spellcheck feature. This is a new addition that causes the potential privacy issue.
What’s damaging is that the form that collects the data has the potential to include users’ personally identifiable information (PII). So far, some collected data includes SSNs/SINs, names, addresses, emails, dates of birth (DOBs), contact information, banks, and other financial institutions’ information.
Prevent SpellJacking on Chrome
With the revelation from the cyber firm, Google states that it does not abuse or harvest the text to any user identity. According to the tech giant, the company only processes the text on the server temporarily to ensure the privacy of its users.
To prevent spelljacking you can click the vertical ellipsis in the top-right corner of a Chrome window and select Settings > Languages > Spell check to see if Enhanced Spell Check is turned on. You can either choose the radio button next to “Basic spell check” or completely deactivate it.
Website administrators can help avoid the problem by modifying the HTML code and adding “spellcheck=false” to all or specific input fields. In addition, websites can also disable the “display password” feature, which will not stop Spell-jacking, but blocks user passwords, and other private data from being transmitted to Google’s server.