Extended spellcheck features in Google Chrome and Microsoft Edge send sensitive form data to Google and Microsoft. The data contains personally identifiable information (PII) and, in certain situations, passwords.
Although the web browser feature is recognized and intentional, it raises questions about what becomes of the data after it’s transmitted and how secure the practice truly is, especially regarding passwords. Basic spellcheckers are enabled by default in Chrome and Edge, but the privacy issue lies in optional features like Chrome’s Enhanced Spellcheck and Microsoft Editor.
What the data contains
If you use popular web- browsers such as Chrome or Edge and have advanced spellcheck features activated, your form data is sent to Google and Microsoft, respectively. Depending on the website you visit, the form data may contain personally identifiable information (PII) like social security numbers, names, addresses, emails, dates of birth (DOB), contact information, bank and payment information, and so on.
Otto-js said in a blog post that clicking on ‘show password’ causes the improved spellcheck to send your password to either tech giant, essentially “spell-jacking” your data, as BleepingComputer put it. Users frequently rely on the ‘show password’ option on sites where copying and pasting passwords is not allowed or when they fear mistyping credentials.
Some of the world’s most popular sites have been providing Google and Microsoft with personally identifiable information, including usernames, email addresses and passwords. An even more significant issue for businesses is the risk of exposing corporate credentials for internal assets such as databases and cloud infrastructure.