Your browser spellchecker could be leaking your passwords

Chrome and Edge extended spellcheckers are leaking your information

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Some extended spellchecking features added intoGoogle ChromeandMicrosoft Edgeweb browsers have been found to be leaking sensitive information back to their parent companies.

An analysis by JavaScript security firmotto-jsfound most users enable features that they believe to be beneficial to their productivity, only to find that they are leaking their own personal information such as usernames, emails, passwords, and more, to the browsers’ respective companies.

Bothbrowsershave basic, built-in spellchecking features enabled by default, which do not transmit data back toGoogleorMicrosoft. Chrome’s ‘Enhanced Spellcheck’ and Edge’s ‘Microsoft Editor’ are exclusively opt-in add-ons that users must explicitly authorize, and while it’s made clear that your data will be sent back to both companies to improve the products, it’s not so obvious that this could include your personally identifiable information (PII).

Chrome and Edge password leaks

Working in conjunction with most text fields on a webpage, both tools have access to “basically anything”, says otto-js. This means that any data you input online, including your date of birth, payment details, contact information, and login credentials could all be being sent back to Google and Microsoft.

We’ve rounded up the best password managers around>LastPass hacked: Should you be worried about your passwords?>Apple’s quest to kill off the password is heading in the right direction

Most websites that block out passwords online obscure this highly sensitive information from the spellchecking tools, but when a user clicks to uncover the text (maybe to check if they have typed it correctly), the information is subsequently exposed.

Bleeping Computerreported it found the transmission of usernames to SSA.gov, Bank of America, and Verizon, using Chrome, with passwords also being exposed to CNN and Facebook only when the ‘show password’ or equivalent button had been clicked.

One way to minimize exposure is for web developers to include “spellcheck=false” to any input fields that may require sensitive information, effectively blocking out those fields from spellchecking tools, though this will of course mean that spellchecking will be disabled in these entries.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

On a user’s end, temporarily disabling enhanced spellcheckers or removing them entirely from a browser seem to be the only ways of protecting your data, at least until either company revises its privacy policy.

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)