• Skip to main content
  • Skip to primary sidebar
  • Skip to footer

DevelopSec

  • Home
  • Podcast
  • Blog
  • Resources
  • About
  • Schedule a Call

January 19, 2023 by James

The risk of Spell Checking

Did you know that input fields on a web form support spell checking by default in many web browsers? This is a feature of the browser that can help catch errors early for the end user. Recently, some testers found that some data may be leaked during the spell checking function to 3rd parties. Here is a reference article describing this: https://www.darkreading.com/application-security/spellchecking-google-chrome-microsoft-edge-browsers-leaks-passwords

The first point to make here is this is limited in the browser settings that may be enabled. For example, for Chrome it is when the enhanced spell check is enabled. 

The other point to make up front is that apparently passwords were only at risk if the field had a “show password” option that was clicked. Password fields without a “show password” option were not at risk. 

Recommendation

It is worth considering disabling spell checking on fields that don’t need it. For example, many sensitive fields might not benefit from spell checking. Things like Usernames, or Social Security Numbers don’t need spell checking. In these cases, it may be a good idea ot disable spell checking on the field. This can be done by setting the spellcheck attribute to false as shown below:

Simple TextBox

   <input type=“text” spellcheck=“false”>

Text Area

     <textarea spellcheck=“false”></textarea>

You could also cover the entire form by setting it at the form level as shown below:

     <form spellcheck=“false”>

Conclusion

Just like caching, there are special considerations we want to consider when dealing with sensitive data. Even though the risk may require special circumstances and configurations that are out of your control, we can take proactive steps that are within our control. In this case, you have the ability to shut the spell checker off if it is not needed. It doesn’t make sense to turn it off for everything, but may make sense for sensitive fields. 

Filed Under: General, News Tagged With: AppSec, developsec, secure coding, security, security testing

Primary Sidebar

Contact Us:

Contact us today to see how we can help.
Contact Us

Footer

Company Profile

Are you tackling the challenge to integrate security into the development process? Application security can be a complex task and often … Read More... about Home

Resources

Podcasts
DevelopSec
Down the Security Rabbithole (#DTSR)

Blogs
DevelopSec
Jardine Software

Engage With Us

  • Email
  • GitHub
  • Twitter
  • YouTube

Contact Us

DevelopSec
Email: james@developsec.com



Privacy Policy

© Copyright 2018 Developsec · All Rights Reserved