Microsoft Accused of ‘Spelljacking’ Users’ Data
Edge Stores Passwords and Bank Info
Microsoft recently released its new Edge browser with its Extended Spellcheck add-on function. But, a cyber analyst revealed that it was discovered that the add-on transmits forms’ information back to the company’s server. However, the information archived, as reported by cyber analysts are some private data that users are unaware of. The private data includes what is known as Personal Identifiable Information (PII) where even private passwords are being saved by Microsoft.
Even though this may not be a deliberate or intended function, as discovered, it raises concerns about the security of individuals that surf the Internet. The big question is what happens to the data after it is transmitted to the Microsoft server. Also, how safe the procedure might be, particularly when it comes to password fields found on Microsoft’s Extended spellcheck form.
The revelation made indicates that Google is also guilty of the same practice with its Chrome browser. Accordingly, both Microsoft Edge and Google Chrome come with basic spellcheckers enabled. However, the spellchecking issue is with the Extended Spellchecker feature, which must be manually enabled by the user. If it is manually enabled, it may present this potential privacy risk. In all kinds of form data, PII can be present, including SSNs/SSINs, names, addresses, emails, dates of birth (DOBs), contact info, and bank and payment information.
The problem was detected by the cyber analyst at otto-js, who indicated that the issue can be solved with LastPass by adding a simple HTML attribute, spellcheck=’false’, to the password field: The spellcheck attribute is normally assumed by browsers to be ‘true’ unless otherwise specified. By setting this particular attribute to ‘false’, companies may prevent their customers from having their data shared with third-party websites.
However, the cyber analyst noted that the reported fix may present users with other complications since they will no longer be able to use the browser spellchecker to proofread their content.
How to Stop SpellJacking on Microsoft Edge
Another alternative is to add it to just the form fields with sensitive data. It is also advised that website developers can also remove the ‘show password’ section. And while, it won’t prevent spell-jacking, the term used to identify the flaw, it would prevent user passwords from being submitted to the Internet browser that is being used to surf the web.
In addition, consumers have been advised to remove the Microsoft Editor add-on from Edge until the tech giant revised its extended spellchecker, to exclude the processing of sensitive fields, like passwords, and other pertinent information transmitted back to its server.
As an added safeguard, individuals using Microsoft Edge to access websites could turn off Enhanced Spell Check by following the steps listed here.
You may check to see if Enhanced Spell Check is enabled by clicking the vertical ellipsis in the top-right corner of a Chrome window and choosing Settings > Languages > Spell check. This will help you avoid spelljacking. Either select the radio box next to “Basic spell check” or deactivate it entirely.
By altering the HTML code and adding “spellcheck=false” to all or specific input fields, website admins can help solve the issue. Additionally, websites have the option to turn off the “display password” function, which does not prevent Spell-jacking but does prevent user passwords and other private information from being sent to Microsoft’s server.
