Google, Microsoft Can Get Your Passwords Through Web Browser’s Spell Check


Extended spell checking features in the Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and, in some cases, passwords, to Google and Microsoft, respectively.

While this may be a known and desired feature of these web browsers, it raises concerns about what happens to the data after transmission and how secure this practice can be, especially when it comes to password fields. .

Chrome and Edge both ship with basic spell checkers enabled. But, features such as Chrome’s Enhanced Spellcheck or Microsoft Editor exhibit this potential privacy risk when enabled manually by the user.

Spell-Jacking: It’s Your Spell Checking That’s Sending Big Tech to PII

When using major web browsers such as Chrome and Edge, your form data is transmitted to Google and Microsoft respectively, with enhanced spell checking features enabled.

Depending on the website you visit, the form data itself may include PII—including Social Security Number (SSN)/Social Insurance Number (SIN), name, address, email, date of birth (DOB), contact information is, but is not limited to these. Bank and payment information, and so on.

Josh Summitt, co-founder and CTO of JavaScript security firm Otto-JS, discovered the issue while testing his company’s script behavior detection.

In cases where Chrome Enhanced Spellcheck or Edge’s Microsoft Editor (Spellchecker) was enabled, “basically anything” entered in the form fields of these browsers was transmitted to Google and Microsoft.

“Plus, if you click ‘Show Password’, Advanced Spell Checking also sends your password, essentially spell-jacking your data,” explains Otto-JS in a blog post,

“Some of the world’s largest websites are at risk of Google and Microsoft sending sensitive user PII, including usernames, emails and passwords, when users are logging in or filling out forms. An even more important concern for companies is that This presents the company’s enterprise credentials for internal assets such as databases and cloud infrastructure.”

alibaba login form field
Alibaba login form field, with ‘show password’ enabled (auto-js)
Advanced spell-checker transmits passwords to Microsoft and Google
Chrome’s advanced spell-checker sends passwords to Google (auto-js)

Users can often rely on the “Show Password” option on sites where copy-pasting a password is not allowed, for example, or when they suspect they have mistyped it.

To demonstrate, Otto-JS shared an example of a user entering credentials on Alibaba’s cloud platform in the Chrome web browser—though any website can be used for this demonstration.

With Enhanced Spellcheck enabled, and assuming the user has tapped the “Show Password” feature, form fields including username and password are transmitted to Google,

A video demonstration has also been shared by the company:

BleepingComputer also noticed credentials being transmitted to Google in our tests for visiting major sites using Chrome:

  • CNN—Both username and password when using ‘show password’
  •—both username and password when using ‘Show Password’
  • (Social Security Login)—username field only
  • Bank of America—username field only
  • Verizon—username field only

A simple HTML solution: ‘spellcheck=false’

Although transmission of form fields is taking place securely over HTTPS, it may not be clear what happens after user data reaches third parties, in this example, Google’s servers.

“The Advanced spell check feature Requires an opt-in from the user,” a Google spokesperson confirmed to BleepingComputer. Note, this is in contrast to the native spell-checker which is enabled by default in Chrome and does not transmit data to Google.

To review whether your Chrome browser has advanced spell checking enabled, copy-paste the following link into your address bar. You can then choose to turn it on or off:


Chrome Enhanced Spellcheck Settings
Requires you to opt-in to the advanced spell check setting in Chrome (bleeping computer)

As is evident from the screenshot, the feature’s description clearly states that when Enhanced Spell Check is enabled, “the text you type in the browser is sent to Google.”

“Text typed by a user may contain sensitive personal information and Google does not attach it to any user identification and only temporarily processes it on the server. To further ensure user privacy, we use spelling passwords.” Will actively work to get him out of the investigation.” Continued to Google in its statement shared with us.

“We appreciate collaboration with the security community, and we are always on the lookout for ways to better protect user privacy and sensitive information.”

For Edge, Microsoft Editor Spelling & Grammar Checker is a browser addon This behavior needs to be explicitly established for this to occur.

BleepingComputer had contacted Microsoft long before publication. We were told that the matter is under investigation but we are yet to hear anything.

Otto-JS dubbed the attack vector “spell-jacking” and expressed concern for users of cloud services such as Office 365, Alibaba Cloud, Google Cloud – Secret Manager, Amazon AWS – Secret Manager and LastPass.

Responding to the Otto-JS report, both AWS and LastPass downplayed the issue. In the case of LastPass, the remedy was done by adding a simple HTML attribute spell check = “false” In the Password field:

LastPass Password Field
LastPass “password” field now includes HTML attribute spellchecked=false (bleeping computer)

‘Spellcheck’ HTML attribute when form text is left out of input fields This is generally believed to be true by web browsers. by default. An input field with ‘spell check’ is explicitly set to false Will not be processed through the spellchecker of the web browser.

“Companies can reduce the risk of their customers sharing PII – by adding ‘spellcheck=false’ to all input fields, although this can cause problems for users,” explains Otto-JS, referring to this fact. However, users will no longer be able to play their entered text though the spell checker.

“Alternatively, you can add this only to form fields containing sensitive data. Companies can also remove the ability to ‘show passwords.’ This will not prevent spell-jacking, but it will prevent the user’s password from being sent. “

Ironically, we looked at Twitter’s login form, which comes with a “show password” option, with the password field’s “spell check” HTML attribute explicitly set to true:

Twitter Spell Check Area
Twitter Password field has ‘Show password’ and spell check set to true (bleeping computer)

As an added security, Chrome and Edge users can turn off advanced spell checking (by following the steps above) or Remove Microsoft Editor Add-on from Edge Unless both companies have modified extended spell checkers to exclude processing of sensitive fields such as passwords.

Be the first to comment

Leave a Reply

Your email address will not be published.