If you like being thorough and using an advanced spell checker, we have some bad news – your personal information might be at risk.
With the advanced spell checker in Google Chrome and Microsoft Edge, everything you type is submitted for verification. Unfortunately, this includes information that should be strictly encrypted, such as B. Passwords.
“If you click “Show Password,” Advanced Spell Checker will even send your password, essentially stealing your data,” otto-js said in its report. “Some of the largest websites in the world are exposed to the sending of users’ sensitive personal data to Google and Microsoft [personally identifiable information], including username, email, and passwords when users log in or fill out forms. An even greater concern for organizations is the exposure of corporate enterprise credentials to internal assets such as databases and cloud infrastructure.”
Lots of people use “Reveal Password” to make sure they haven’t made a typo, so this is where a lot of passwords could potentially be at risk. Bleeping Computer tested this further and found that entering your username and password on CNN and Facebook sent the data to Google, while SSA.gov, Bank of America and Verizon only sent the usernames.
Both Microsoft Edge and Google Chrome have built-in spell checkers that are pretty basic. These tools require no further verification – what you type stays in your browser. However, if you use Chrome’s enhanced spell checker or Microsoft’s Notepad spelling and grammar checker, everything you type into the browser is sent to Google and Microsoft, respectively.
That in itself is not unexpected. When you turn on Enhanced Spell Checking in Chrome, the browser tells you that “the text you type into the browser will be sent to Google.” However, many people would expect this to exclude PII, which is often submitted in forms.
The severity depends on the websites you visit. Some form data may include social security numbers and social security numbers, your full name, address, and payment information. Credentials also fall into this category.
It’s understandable that what you type is sent outside the browser to take advantage of improved spell checking, but it’s hard to question how secure this is when personal data gets the same treatment.
This is how you stay safe
If you do not wish to transmit your personal data to Microsoft and Google, you should stop using the extended spell checker for the time being. This means turning off the feature in your Chrome settings. Just copy and paste this into your browser’s address bar: chrome://settings/?search=Enhanced+Spell+Check.
For Microsoft Edge, Advanced Spell Checker comes in the form of a browser add-on, so just right-click this extension’s icon in your browser and then tap Remove from Microsoft Edge.
Google has ensured that it does not associate any user identity with the data it processes for spell checking. However, it will work to completely exclude passwords from it. Microsoft said it would investigate the issue, but hasn’t followed up on Bleeping Computer yet. Microsoft currently has another problem with Edge: hackers are using it to run a malvertising campaign.