Your passwords might be exposed by your browser’s spellchecker

Google Chrome and Microsoft Edge have been found to leak private data through their enhanced spellchecking features.

According to research conducted by the JavaScript security firm otto-js, most users enable features that they believe will increase their productivity, only to discover that they are leaking personal information such as usernames, emails, passwords, and more to the browsers’ respective companies.

Simple, in-built spellcheckers are available in both browsers by default, and they don’t share your data with Google or Microsoft. While it is made clear that your data will be sent back to both companies to improve the products, it is less clear that this could include your personally identifiable information when using the “Enhanced Spellcheck” add-on for Chrome or the “Microsoft Editor” add-on for Edge, both of which require users to opt in (PII).

Password leaks in Chrome and Edge

Both tools can “basically anything” when used in conjunction with most text fields on a website, as claimed by otto-js. Therefore, it is possible that Google and Microsoft could receive any information you enter on the internet, including your birthday, payment information, contact information, and login credentials.

However, when a user clicks to reveal the text (perhaps to check if they have typed it correctly), the information is revealed. This is because most websites that hide passwords online also hide this highly sensitive information from the spellchecking tools.

It discovered Chrome transmitting usernames to, Bank of America, and Verizon, and that passwords were also exposed, but only after the “show password” or similar button was clicked.

To prevent accidental disclosure, web developers can add “spellcheck=false” to any input fields that might need confidential information. This will prevent spellchecking tools from scanning these fields, but it will also prevent spellchecking from working.

It appears that until either company updates its privacy policy, the only thing you can do to protect your data is to temporarily disable enhanced spellcheckers or remove them entirely from a browser.