Enhanced spellcheck, supported by Google Chrome and Microsoft Edge, would expose users’ passwords and data

Fortunately proposed as an optional setting, the enhanced spellcheck feature supported by Google Chrome and Microsoft Edge would expose more than just text entered into web pages, with independent investigations showing that Google indiscriminately picks up passwords and other sensitive data entered into web forms.

For example, data such as usernames, email addresses, and other data filled into web forms are automatically uploaded to Google’s servers under the guise of sending that information to the online spell-checking engine for processing. Part of the scheme, even passwords can be sent through these functions, but only when the “show password” button is used, converting the otherwise hidden password into visible text that is sent to the spell-checking engine.

Apparently, the inconvenience stems from the way the two web browsers, Chrome and Edge, handle users’ personal data, with the system appearing not to differentiate very well between text sent for spell checking and data entered into web forms, all going to the same cloud processing service without really discriminating between the data entered.

The problem is already recognized among developers of applications in the password manager category (e.g. LastPass), receiving the label ‘spell-jacking’. The only good news is that the option for automatic spell-checking only appears as an optional setting in the initial browser configuration, and the setting must be checked by users before it takes effect. However, those who tick this option end up sending most of their data to Google without even realising it.