Your data may be in danger if you use a spellchecker

If you want to be thorough and use an advanced spell checker, we have bad news: your personal information could be at risk.

If you use the extended spell checker in Google Chrome and Microsoft Edge, anything you enter will be sent for checking. Unfortunately, this includes information that must be strictly encrypted, such as passwords.

This issue, first reported by JavaScript security company otto-js, was accidentally discovered while the company was testing script behavior detection. Josh Summitt, co-founder and CTO of otto-js, explains that virtually anything you enter into form fields with the advanced spell checker enabled is later forwarded to Google and Microsoft.

“If you click on ‘show password’, the improved spell checker will even send your password, essentially spelling out your data,” Otto-js says in his report. “Some of the largest websites in the world have been exposed to sending PII to sensitive users from Google and Microsoft [personally identifiable information], including username, email address, and passwords, when users log in or fill out forms. An even bigger concern for companies is the exposure this creates to the company’s corporate credentials to internal assets such as databases and cloud infrastructure.”

Many people use “show password” to make sure they haven’t made a typo, so many passwords may be at risk here. Bleeping Computer tested this further and found that entering your username and password on CNN and Facebook sent the data to Google, while SSA.gov, Bank of America and Verizon only sent the usernames.

Both Microsoft Edge and Google Chrome come with built-in spell checkers that are quite simple. These tools require no further verification – what you enter stays in your browser. However, if you use Chrome’s Enhanced Spell Checker or Microsoft Editor’s Spelling and Grammar Checker, anything you type in the browser is then sent to Google and Microsoft, respectively.

That in itself is not unexpected. When you enable the improved spell checker in Chrome, the browser tells you that the ‘text you type in the browser will be sent to Google’. However, many people would expect that PII that is often submitted in forms is excluded.

The severity of this depends on the websites you visit. Some form data may include Social Security Numbers and Social Security Numbers, your full name, address, and payment information. Login details also fall under this category.

It’s understandable that your input will be sent outside of the browser to use the enhanced spell checker, but it’s hard not to wonder how secure this is when personal data gets the same treatment too.

How do you stay safe?

Andrew Brookes/Getty Images

If you prefer not to have your personal information passed on to Microsoft and Google, you should stop using the advanced spell checker for now. This means you need to disable the feature in your Chrome settings. Simply copy and paste this into your browser’s address bar: chrome://settings/?search=Enhanced+Spell+Check.

For Microsoft Edge, the advanced spell checker comes in the form of a browser add-on, so right-click on that extension’s icon in your browser and then tap Remove from Microsoft Edge.

Google has ensured that it does not associate a user’s identity with the data it processes for the spell check. However, it will work to exclude passwords from this completely. Microsoft said it will investigate the issue, but has not followed up on Bleeping Computer yet. Microsoft currently has another problem with Edge: hackers are using it to run a malvertising campaign.

Leave a Comment