Spell check in your browser is causing data leaks

An analysis by the JavaScript security company Otto-JS found that some extended spell checking features added to Google Chrome and Microsoft Edge are causing data leak. They pass form data, including personally identifiable information (PII) and, in some cases, passwords, to the respective web browser owner.

Read more: How do you prevent personal data from being leaked by apps?

Data Leak Detection

It was Josh Summit, co-founder and CTO of Otto-JS who discovered all this and cautioned that these spell-checking features are often active even if users are not aware of it.

Both browsers have basic spell checking built in by default and do not send data back to Google or Microsoft. However, the Enhanced Spelling extension in Chrome and the Microsoft Editor in Edge are optional add-ons.

However, users need explicit authorization, and while it is clear that their data will be sent to the two companies to improve the product, it is not clear that this may include their personally identifiable information.

Access all data online

The security company said Chrome and Edge, which work alongside most text fields on a web page, can access “basically anything”.

This means that all data entered online, including your date of birth, payment details, contact information, logins and passwords, can be sent to Google and Microsoft browsers.

Sumit even said that if the “Show password” option is enabled, the feature will still be pushed to third-party servers. Bleeping Computer reported that it discovered Chrome was being used to broadcast usernames to SSA.gov, Bank of America, and Verizon, and passwords to CNN and Facebook were also exposed in this way.

What would be the solution?

One way to reduce exposure is for web developers to include a detail called “spelling=false” in all input fields that may require sensitive information.

Thus, this will effectively block these fields in the browsers spell checker, although this means that the spell checking of these entries will be disabled.

On the user side, temporarily disabling the enhanced spell checker or completely removing it from the browser appears to be the only way to protect your data, at least until a company reviews their privacy policy.