Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features.
As an additional note, even passwords can be sent by these features, but only when a "Show Password" button is pressed, which converts the password into visible text, which is then checked.
The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure. In the images shown below shared by otto-js, you can see a user logging in to Alibaba Cloud, with their data being shared with Google.
Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed "spell-jacking". What"s most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it.
The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft.
Interestingly enough, the only website that had mitigated the issue from this group was Google itself but only for some services and not all of its products that were tested. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.
Source: otto-js Research Team