Spell checking in Chrome and Edge may reveal passwords and personal information



Reaction score
The researchers explain that Chrome and Edge come out of the box with basic spell checking tools enabled. However, there is an enhanced spell check in Chrome (Chrome Enhanced Spellcheck) and Microsoft Editor that the user can enable manually. And this, according to experts, already poses a potential threat to privacy.

The fact is that when using Chrome and Edge, if advanced spell checking functions are enabled, data from user-filled forms is transferred to Google and Microsoft servers. Depending on the site, forms may contain personal information, including: social security numbers, name, address, email address, date of birth, contact information, banking and payment information, and so on.

otto-js head Josh Summit says that when Chrome Enhanced Spellcheck or Microsoft Editor is enabled, "virtually everything" entered into form fields is reported to Google and Microsoft.

“Furthermore, if you click “show password,” the advanced spell checker will even transmit your password [to the company’s server],” explains otto-js. — Some of the largest sites in the world may send users' sensitive personal information, including username, email address and password, to Google and Microsoft when users log in or fill out forms. An even more serious problem may be corporate credentials that provide access to internal systems, including databases and cloud infrastructure.”
As an example, the researchers showed how to enter credentials for Alibaba Cloud in the Chrome browser (although almost any website would work for this demonstration). With advanced spell checking enabled, if the user uses the "show password" feature, all form fields, including the username and password, are sent to googleapis.com.


The company also published a video demonstration of the problem.

Journalists from the publication Bleeping Computer conducted their own tests and write that with active extended spell checking and the use of Chrome, sites transmitted the following data to Google:

  • CNN - username and password (after clicking “show password”);
  • com —username and password (after clicking “show password”);
  • gov —username field only;
  • Bank of America - only the username field;
  • Verizon —username field only.
Although the form fields are sent over HTTPS, it's not entirely clear what happens to the user data once it reaches the remote server, in this example Google's.

You can check if Enhanced Spell Check is enabled in Chrome by typing chrome://settings/?search=Enhanced+Spell+Check into the address bar.


Google representatives confirmed to reporters that the use of Enhanced Spellcheck requires user consent. And, as you can see in the screenshot above, the browser itself warns that in this case the text entered in the browser will be transmitted to Google servers.

“The text entered by the user may be sensitive personal information, and Google does not associate it with the user’s identity, but only temporarily processes it on the server. To provide better privacy, we will work to proactively exclude passwords from spell checking," Google said.
As for Edge, Microsoft Editor Spelling & Grammar Checker is a separate browser addon that it must be established that the dangerous behavior occurred.

otto-js also warned that user data for Office 365, Alibaba Cloud, Google Cloud - Secret Manager, Amazon AWS - Secrets Manager and LastPass may be at risk. After being notified by researchers, AWS and LastPass have now fixed the issue. In the case of LastPass, the solution was quite simple: just add the HTML attribute spellcheck="false" to the password field.


“Businesses can reduce the risk of exposing their customers' identities by adding “spellcheck=false” to all input fields, although this may create inconvenience for users,” says otto-js. - Alternatively, you can only add it to fields with sensitive data. Companies may also be put off by the “show password” feature altogether.”
As for users, they can simply disable advanced spell checking in their browsers until companies reconsider how they handle information from fields containing sensitive data.