Connect with us

News

Your browser’s spell checker is reportedly leaking passwords

They’re leaking your personal information.
Chrome password manager on blurred background
Image: KnowTechie

A new report from cyber security company otto-js proves that whatever you type into form fields is being sent to remote servers for spell check, including passwords.

Now, this isn’t entirely new. Enhanced spellcheck in Chrome warns you it will send data to Google’s servers. Microsoft Edge says it “connects to a Microsoft online service.”

That doesn’t mean it’s not an issue. For example, it could contain sensitive information depending on which form you’re filling in.

Anything from your Social Security Number (SSNs), banking details, and more is in plain sight. The spellcheck even sends passwords in plaintext in some situations. Via the company’s blog post:

1125 8391 1693414789

Don't miss out on Garmin's latest smartwatches, the Venu 3 and Venu 3S smartwatches!

Know the real you with the Venu 3 smartwatch, the ultimate on-wrist coach designed to support your goals.

Learn More

“Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.”

Your browser spellchecker is leaking your passwords

The browser-based spellchecker works on almost any website. A way to mitigate sending sensitive information is by adding an HTML attribute to the password field.

Most websites don’t use this, and even popular password managers like LastPass didn’t have the mitigation. However, as has AWS with its Secrets Manager, LastPass has mitigated the issue.

Image

Learn AI in 5 Minutes a Day. We'll teach you how to save time and earn more with AI. Join 70,000+ free daily readers for trending tools, productivity-boosting prompts, the latest news, and more.

Sign up - It's FREE

While this is undeniably an issue for everyone using these browser tools, it’s more of a problem for companies.

Think of all the passwords to internal tools that Chrome and Edge have passed across to Google or Microsoft’s servers.

Google chrome new password alert feature
Image: KnowTechie

For their part, Google told BleepingComputer that “to further ensure user privacy, we will be working to exclude passwords proactively from spell check.” That might also fix the issue in Edge, as they both use the Chromium core.

To keep your data safe until then, remove or disable the Microsoft Editor extension in Edge.

Chrome users will want to check if Enhanced spell check is disabled. If it’s not, turn it off if you feel at risk. The basic spell check works on any device, so your data is safe.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Follow us on Flipboard, Google News, or Apple News

Related Topics
Avatar for Joe Rice-Jones

Maker, meme-r, and unabashed geek with nearly half a decade of blogging experience. If it runs on electricity (or even if it doesn't), Joe probably has one around his office somewhere. His hobbies include photography, animation, and hoarding Reddit gold.

Deals of the Day

  1. Paramount+: Live Sports Starting at $2.50/mo. for 12 Mos. Sports - Try It Free w/ code: SPORTS
  2. Save $20 on a Microsoft365 subscription at Best Buy with a Best Buy Membership!
  3. Try Apple TV+ for FREE and watch all the Apple Originals
  4. Save $300 on a Segway at Best Buy, now $699

More in News