Published in News

Browser Spellchucking features might be leaking your passwords

by on20 September 2022

And talking to Google and Vole

Spellchecking features added into Google Chrome and Microsoft Edge web browsers have been caught to be leaking sensitive information back to their parent companies.

How Microsoft can benefit from the fact I can't spell epelepsy, no one knows, but an analysis by JavaScript security firm otto-js( said browser spell checkers  are leaking their own personal information such as usernames, emails, passwords, and more, to the browsers’ companies.

Both browsers have basic, built-in spellchecking features enabled by default, which do not transmit data back to Google or Microsoft. Chrome’s ‘Enhanced Spellcheck’ and Edge’s ‘Microsoft Editor’ are exclusively opt-in add-ons that users must explicitly authorize, and while it’s made clear that your data will be sent back to both companies to improve the products, it’s not so obvious that this could include your personally identifiable information (PII).

Because the spell checkers work with webpage text fields, both tools have access to everything. This means that any data you input online, including your date of birth, payment details, contact information, and login credentials could all be being sent back to Google and Microsoft.

Bleeping Computer found the transmission of usernames to, Bank of America, and Verizon, using Chrome, with passwords also being exposed to CNN and Facebook only when the ‘show password’ or equivalent button had been clicked.

One way to minimise exposure is for web developers to include “spellcheck=false” to any input fields that may require sensitive information, effectively blocking out those fields from spellchecking tools, though this will of course mean that spellchecking will be disabled in these entries.

On a user’s end, temporarily disabling enhanced spellcheckers or removing them entirely from a browser seem to be the only ways of protecting your data, at least until either company revises its privacy policy.


Last modified on 20 September 2022
Rate this item
(0 votes)

Read more about: