Your browser’s spell checker is reportedly leaking passwords

A new report from cyber security company otto-js proves that whatever you type into form fields is being sent to remote servers for spell check, including passwords.

Now, this isn’t entirely new. Enhanced spellcheck in Chrome warns you it will send data to Google’s servers. Microsoft Edge says it “connects to a Microsoft online service.”

That doesn’t mean it’s not an issue. For example, it could contain sensitive information depending on which form you’re filling in.

Anything from your Social Security Number (SSNs), banking details, and more is in plain sight. The spellcheck even sends passwords in plaintext in some situations. Via the company’s blog post:

“Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.”

Your browser spellchecker is leaking your passwords

The browser-based spellchecker works on almost any website. A way to mitigate sending sensitive information is by adding an HTML attribute to the password field.

Most websites don’t use this, and even popular password managers like LastPass didn’t have the mitigation. However, as has AWS with its Secrets Manager, LastPass has mitigated the issue.

While this is undeniably an issue for everyone using these browser tools, it’s more of a problem for companies.

Think of all the passwords to internal tools that Chrome and Edge have passed across to Google or Microsoft’s servers.

For their part, Google told BleepingComputer that “to further ensure user privacy, we will be working to exclude passwords proactively from spell check.” That might also fix the issue in Edge, as they both use the Chromium core.

To keep your data safe until then, remove or disable the Microsoft Editor extension in Edge.

Chrome users will want to check if Enhanced spell check is disabled. If it’s not, turn it off if you feel at risk. The basic spell check works on any device, so your data is safe.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• How to view and edit saved passwords in Google Chrome
• How to turn on Google Chrome’s secret Reader Mode
• How to stop Chrome from saving history on Windows and Mac
• Microsoft Edge is testing a free in-browser VPN