2 min Security

Browser spellchecks discreetly send passwords to Google and Microsoft

Browser spellchecks discreetly send passwords to Google and Microsoft

Extended spellcheck features in Google Chrome and Microsoft Edge send sensitive form data to Google and Microsoft. The data contains personally identifiable information (PII) and, in certain situations, passwords.

Although the web browser feature is recognized and intentional, it raises questions about what becomes of the data after it’s transmitted and how secure the practice truly is, especially regarding passwords. Basic spellcheckers are enabled by default in Chrome and Edge, but the privacy issue lies in optional features like Chrome’s Enhanced Spellcheck and Microsoft Editor.

What the data contains

If you use popular web- browsers such as Chrome or Edge and have advanced spellcheck features activated, your form data is sent to Google and Microsoft, respectively. Depending on the website you visit, the form data may contain personally identifiable information (PII) like social security numbers, names, addresses, emails, dates of birth (DOB), contact information, bank and payment information, and so on.

Josh Summitt, co-founder and CTO of JavaScript security firm otto-js, uncovered the problem while testing his company’s script behaviour detection. When Chrome Enhanced Spellcheck or Edge’s Microsoft Editor (spellchecker) were activated, “basically anything” entered in the browsers’ form fields was sent to Google and Microsoft.


Otto-js said in a blog post that clicking on ‘show password’ causes the improved spellcheck to send your password to either tech giant, essentially “spell-jacking” your data, as BleepingComputer put it. Users frequently rely on the ‘show password’ option on sites where copying and pasting passwords is not allowed or when they fear mistyping credentials.

Some of the world’s most popular sites have been providing Google and Microsoft with personally identifiable information, including usernames, email addresses and passwords. An even more significant issue for businesses is the risk of exposing corporate credentials for internal assets such as databases and cloud infrastructure.

Tip: SoftwareONE works towards a full-fletched security platform