Skip to main content

Spellcheckers in Google Chrome could expose your passwords

If you like to be thorough and use an advanced spellchecker, we have some bad news — your personal information could be in danger.

Using the extended spellcheck in Google Chrome and Microsoft Edge transmits everything you input in order for it to be checked. Unfortunately, this includes information that should be strictly encrypted, such as passwords.

Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords

This issue, first reported by JavaScript security firm otto-js, was discovered accidentally while the company was testing its script behaviors detection. Josh Summitt, co-founder and CTO of otto-js, explains that pretty much everything you enter in form fields with advanced spellchecker enabled is later transmitted to Google and Microsoft.

Recommended Videos

“If you click on ‘show password,’ the enhanced spellcheck even sends your password, essentially spell-jacking your data,” said otto-js in its report. “Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII [personally identifiable information], including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company’s enterprise credentials to internal assets like databases and cloud infrastructure.”

Many people use “show password” in order to make sure they haven’t made a typo, so potentially, a lot of passwords could be at risk here. Bleeping Computer tested this further and found that entering your username and password on CNN and Facebook sent the data to Google, while SSA.gov, Bank of America, and Verizon only sent the usernames.

Both Microsoft Edge and Google Chrome come with built-in spellcheckers that are pretty basic. These tools don’t require any further verification — what you input stays within your browser. However, if you’re using Chrome’s Enhanced Spellcheck or Microsoft’s Editor Spelling & Grammar Checker, everything you type in the browser is then sent to Google and Microsoft respectively.

That, in itself, is not unexpected. When you enable the enhanced spellchecker in Chrome, the browser tells you that the “text that you type in the browser is sent to Google.” However, many people would expect that this excludes PII that is often submitted in forms.

The severity of this depends on the websites you visit. Some form data may include Social Security numbers and Social Insurance numbers, your full name, address, and payment information. Login credentials also fall under this category.

It’s understandable that your inputs are sent outside of the browser in order to utilize the improved spellchecker, but it’s hard not to question how secure this is when personal data also receives that same treatment.

How to stay safe

A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

If you’d rather not have your personal data transmitted to Microsoft and Google, you should stop using the advanced spellchecker for the time being. This means disabling the feature in your Chrome settings. Simply copy and paste this into your browser’s address bar: chrome://settings/?search=Enhanced+Spell+Check.

For Microsoft Edge, the advanced spellchecker comes in the form of a browser add-on, so simply right-click the icon of that extension in your browser and then tap on Remove from Microsoft Edge.

Google has ensured that it doesn’t attach any user identity to the data it processes for the spellchecker. However, it will work on excluding passwords from this entirely. Microsoft said it will investigate the problem, but didn’t follow up with Bleeping Computer beyond that just yet. Microsoft currently has another problem with Edge: hackers are using it to run a malvertising campaign.

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
Can’t install Chrome? You aren’t alone, and here’s a fix
Lenovo Tab Extreme showing Chrome.

If you have tried to install Google Chrome only to be met with an error, here's the good news: it's not just you. The problem first popped up yesterday with widespread reports on Reddit and other social media platforms, and it appears to stem from a bug on Google's end. Essentially, users are getting the wrong version of Chrome when they try to download it. It's an irritating problem, but one that's relatively easily repaired.

Computers that use Intel and AMD chips are the most affected, as they're receiving a version of Chrome designed to be used with Snapdragon chips. However, some intrepid users have already found a workaround that will help you get your favorite browser installed until Google issues a correction.

Read more
The Google Drive app for Snapdragon PCs is finally out of beta
Enpass Personal's Vault settings are open showing Google Drive integration.

Snapdragon-powered Windows PCs have been around for almost a year now, but they've been missing one key app: Google Drive. While a beta of the Arm64 version released last year, it only became "generally available" yesterday.

The app works in exactly the same way as all other Google Drive apps, allowing users to store files and access them from any device. The lack of Arm64 support for apps like Google Drive has been one of the biggest barriers for Windows on Arm, as it results in various inconveniences for users that tend to drive them away. Rather than the hardware, it's likely to be software-based problems like this that trigger the high return rate of Snapdragon-powered Windows PCs.

Read more
Google’s Gemini is coming to Chrome for faster, easier browsing
Gemini 2.0 logo

Google is testing the integration of Gemini at the top of the browser in the latest Chrome Canary build, to facilitate access to the AI and make your browsing experience easier, as Windows Latest reports. Google is also working on a widget for Gemini.

Thanks to browser researcher Leopeva64, new details about how the feature works have emerged. Windows Latest tried turning on the GLIC-related flags to enable the Gemini icon but experienced some issues. A new "Glic" setting appeared in Chrome, allowing you to personalize how to open Gemini on your Windows PC. The setting gives you options to override existing shortcuts or enable them inside the menu.

Read more