Our response to MS Edge and Google Chrome’s “Spell-Jacking” vulnerability
This weekend we were made aware of a vulnerability in Google Chrome and Microsoft Edge where it could send sensitive web form information back to their servers.
Google, Microsoft can get your passwords via web browser's spellcheck
Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally…
Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.
How can you tell if you’re affected?
The good news is that this only happens if “enhanced” spell check is enabled, which is an opt-in feature. The bad news is that, potentially, corporate browser profiles may well have enabled this feature on your behalf without you knowing about it.
We recommend you check your browsers and disable enhanced spellchecking if possible. Google have instructions for how to disable the feature in Chrome, and equivalent instructions for Edge can be found elsewhere.
What are we doing about it?
The only mitigation available to website/service owners is to ask the browser to not spellcheck form fields. This can be done per-field, and we are rolling out a change to do exactly this on our dashboard management application.
What do our customers need to do about it?
Unfortunately there’s no one-size-fits-all solution. Each service will have to make its own decision about the sensitivity of the information that’s expected to be entered in each of its form fields and then make a value judgement on whether the security benefit of disabling spellcheck on that field outweighs the potential usability downside of not automatically spellchecking its contents.
If you do decide to disable spellcheck, this is how it can be done:
Upgrade your form to at least version
gds-design-system-dsl, which includes a new convenience member on the
TextArea widgets to add the
spellcheck=”false” attribute and value. It can be added to your affected widget’s
ExtraTemplateRenderArgs like this:
Input.inputText("mySensitiveQuestion", messages, constraints, Input.disableSpellcheck)
TextArea.textArea("myLongSensitiveQuestion", messages, constraints, TextArea.disableSpellcheck)
Alternatively, if your form does not use
gds-design-system-dsl , you can implement your own
SimpleExtraTemplateRenderArgs that adds the attribute and value in a way that works for your own widget and template. You’re even welcome to copy the implementation from our own widget if that helps.