Our response to MS Edge and Google Chrome’s “Spell-Jacking” vulnerability
This weekend we were made aware of a vulnerability in Google Chrome and Microsoft Edge where it could send sensitive web form information back to their servers.
Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.
- https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords
How can you tell if you’re affected?
The good news is that this only happens if “enhanced” spell check is enabled, which is an opt-in feature. The bad news is that, potentially, corporate browser profiles may well have enabled this feature on your behalf without you knowing about it.
We recommend you check your browsers and disable enhanced spellchecking if possible. Google have instructions for how to disable the feature in Chrome, and equivalent instructions for Edge can be found elsewhere.
What are we doing about it?
The only mitigation available to website/service owners is to ask the browser to not spellcheck form fields. This can be done per-field, and we are rolling out a change to do exactly this on our dashboard management application.
What do our customers need to do about it?
Unfortunately there’s no one-size-fits-all solution. Each service will have to make its own decision about the sensitivity of the information that’s expected to be entered in each of its form fields and then make a value judgement on whether the security benefit of disabling spellcheck on that field outweighs the potential usability downside of not automatically spellchecking its contents.
If you do decide to disable spellcheck, this is how it can be done:
Upgrade your form to at least version 1.3.3
of gds-design-system-dsl
, which includes a new convenience member on the Input
and TextArea
widgets to add the spellcheck=”false”
attribute and value. It can be added to your affected widget’s ExtraTemplateRenderArgs
like this:
Input.inputText("mySensitiveQuestion", messages, constraints, Input.disableSpellcheck)
or
TextArea.textArea("myLongSensitiveQuestion", messages, constraints, TextArea.disableSpellcheck)
Alternatively, if your form does not use gds-design-system-dsl
, you can implement your own SimpleExtraTemplateRenderArgs
that adds the attribute and value in a way that works for your own widget and template. You’re even welcome to copy the implementation from our own widget if that helps.
Want to know more?
Come have a look around https://uxforms.com, follow UX Forms on twitter, LinkedIn, or email us at hello@uxforms.com and see how we can make your forms better, together.