Our response to MS Edge and Google Chrome’s “Spell-Jacking” vulnerability

UX Forms
3 min readSep 20, 2022

--

Illustrative sign in form showing username and password fields
Image by Gerd Altmann from Pixabay

This weekend we were made aware of a vulnerability in Google Chrome and Microsoft Edge where it could send sensitive web form information back to their servers.

Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.
- https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords

How can you tell if you’re affected?

The good news is that this only happens if “enhanced” spell check is enabled, which is an opt-in feature. The bad news is that, potentially, corporate browser profiles may well have enabled this feature on your behalf without you knowing about it.

We recommend you check your browsers and disable enhanced spellchecking if possible. Google have instructions for how to disable the feature in Chrome, and equivalent instructions for Edge can be found elsewhere.

What are we doing about it?

The only mitigation available to website/service owners is to ask the browser to not spellcheck form fields. This can be done per-field, and we are rolling out a change to do exactly this on our dashboard management application.

What do our customers need to do about it?

Unfortunately there’s no one-size-fits-all solution. Each service will have to make its own decision about the sensitivity of the information that’s expected to be entered in each of its form fields and then make a value judgement on whether the security benefit of disabling spellcheck on that field outweighs the potential usability downside of not automatically spellchecking its contents.

If you do decide to disable spellcheck, this is how it can be done:

Upgrade your form to at least version 1.3.3 of gds-design-system-dsl, which includes a new convenience member on the Input and TextArea widgets to add the spellcheck=”false” attribute and value. It can be added to your affected widget’s ExtraTemplateRenderArgs like this:

Input.inputText("mySensitiveQuestion", messages, constraints, Input.disableSpellcheck)

or

TextArea.textArea("myLongSensitiveQuestion", messages, constraints, TextArea.disableSpellcheck)

Alternatively, if your form does not use gds-design-system-dsl , you can implement your own SimpleExtraTemplateRenderArgs that adds the attribute and value in a way that works for your own widget and template. You’re even welcome to copy the implementation from our own widget if that helps.

Want to know more?

Come have a look around https://uxforms.com, follow UX Forms on twitter, LinkedIn, or email us at hello@uxforms.com and see how we can make your forms better, together.

--

--

UX Forms

An enterprise-ready cloud platform for webform development. See our website for more: https://uxforms.com