Connect with us


Your browser’s spell checker is reportedly leaking passwords

They’re leaking your personal information.

chrome password manager on blurred background
Image: KnowTechie

A new report from cyber security company otto-js proves that whatever you type into form fields is being sent to remote servers for spell check, including passwords.

Now, this isn’t entirely new. Enhanced spellcheck in Chrome warns you it will send data to Google’s servers. Microsoft Edge says it “connects to a Microsoft online service.”

That doesn’t mean it’s not an issue. For example, it could contain sensitive information depending on which form you’re filling in.

Anything from your Social Security Number (SSNs), banking details, and more is in plain sight. The spellcheck even sends passwords in plaintext in some situations. Via the company’s blog post:

“Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.”

Your browser spellchecker is leaking your passwords

The browser-based spellchecker works on almost any website. A way to mitigate sending sensitive information is by adding an HTML attribute to the password field.

Most websites don’t use this, and even popular password managers like LastPass didn’t have the mitigation. However, as has AWS with its Secrets Manager, LastPass has mitigated the issue.

While this is undeniably an issue for everyone using these browser tools, it’s more of a problem for companies.

Think of all the passwords to internal tools that Chrome and Edge have passed across to Google or Microsoft’s servers.

google chrome new password alert feature
Image: KnowTechie

For their part, Google told BleepingComputer that “to further ensure user privacy, we will be working to exclude passwords proactively from spell check.” That might also fix the issue in Edge, as they both use the Chromium core.

To keep your data safe until then, remove or disable the Microsoft Editor extension in Edge.

Chrome users will want to check if Enhanced spell check is disabled. If it’s not, turn it off if you feel at risk. The basic spell check works on any device, so your data is safe.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Follow us on Flipboard, Google News, or Apple News

Maker, meme-r, and unabashed geek with nearly half a decade of blogging experience. If it runs on electricity (or even if it doesn't), Joe probably has one around his office somewhere. His hobbies include photography, animation, and hoarding Reddit gold.

More in News