Some extended spell checking features added to the Google Chrome and Microsoft Edge web browsers have been found to return sensitive information to their parent companies.
An analysis by JavaScript security firm otto-js (opens in a new tab) found that the majority of users enable features they deem beneficial to their productivity, only to find that they are revealing their own personal information, such as names usernames, emails, passwords and more, for the respective browser companies.
Both browsers have built-in basic spell checking features enabled by default, which do not pass data to Google or Microsoft. Chrome's "Enhanced Spell Checker" and Edge's "Microsoft Editor" are optional-only add-ons that users must explicitly allow, and while it's clearly stated that your data will be returned to both companies to improve the products, it's not so obvious. which could include your personally identifiable information (PII).
Chrome and Edge password leaks
Working in conjunction with most text fields on a web page, both tools have access to "basically anything," says otto-js. This means that all the data you enter online, including your date of birth, payment information, contact details, and login credentials, may be sent to Google and Microsoft.
Most websites that lock passwords online hide this highly sensitive information from spell-check tools, but when a user clicks to reveal the text (perhaps to check if they typed it correctly), the information is exposed.
Bleeping Computer (opens in a new tab) reported discovering usernames passed to SSA.gov, Bank of America, and Verizon, using Chrome, with passwords also exposed to CNN and Facebook only when the "Show" button had been pressed password" or an equivalent button. clicked
One way to minimize exposure is for web developers to include "spellcheck=false" in any input fields that might require sensitive information, effectively blocking those fields from spell checking tools, although of course this means that spell checking will be disabled on these inputs.
From the user side, temporarily disabling enhanced spell checkers or removing them entirely from a browser seems to be the only way to keep your data safe, at least until one company or another revises their privacy policy.