Data Leak Detection
It was Josh Summit, co-founder and CTO of Otto-JS who discovered all this and cautioned that these spell-checking features are often active even if users are not aware of it.
Both browsers have basic spell checking built in by default and do not send data back to Google or Microsoft. However, the Enhanced Spelling extension in Chrome and the Microsoft Editor in Edge are optional add-ons.
However, users need explicit authorization, and while it is clear that their data will be sent to the two companies to improve the product, it is not clear that this may include their personally identifiable information.
Access all data online
The security company said Chrome and Edge, which work alongside most text fields on a web page, can access “basically anything”.
This means that all data entered online, including your date of birth, payment details, contact information, logins and passwords, can be sent to Google and Microsoft browsers.
Sumit even said that if the “Show password” option is enabled, the feature will still be pushed to third-party servers. Bleeping Computer reported that it discovered Chrome was being used to broadcast usernames to SSA.gov, Bank of America, and Verizon, and passwords to CNN and Facebook were also exposed in this way.
What would be the solution?
One way to reduce exposure is for web developers to include a detail called “spelling=false” in all input fields that may require sensitive information.
Thus, this will effectively block these fields in the browsers spell checker, although this means that the spell checking of these entries will be disabled.
“Incurable thinker. Food aficionado. Subtly charming alcohol scholar. Pop culture advocate.”