Google Chrome and Microsoft Edge have been found to leak private data through their enhanced spellchecking features.
Simple, in-built spellcheckers are available in both browsers by default, and they don’t share your data with Google or Microsoft. While it is made clear that your data will be sent back to both companies to improve the products, it is less clear that this could include your personally identifiable information when using the “Enhanced Spellcheck” add-on for Chrome or the “Microsoft Editor” add-on for Edge, both of which require users to opt in (PII).
Password leaks in Chrome and Edge
Both tools can “basically anything” when used in conjunction with most text fields on a website, as claimed by otto-js. Therefore, it is possible that Google and Microsoft could receive any information you enter on the internet, including your birthday, payment information, contact information, and login credentials.
However, when a user clicks to reveal the text (perhaps to check if they have typed it correctly), the information is revealed. This is because most websites that hide passwords online also hide this highly sensitive information from the spellchecking tools.
It discovered Chrome transmitting usernames to SSA.gov, Bank of America, and Verizon, and that passwords were also exposed, but only after the “show password” or similar button was clicked.
To prevent accidental disclosure, web developers can add “spellcheck=false” to any input fields that might need confidential information. This will prevent spellchecking tools from scanning these fields, but it will also prevent spellchecking from working.