Security News > 2022 > September > Google, Microsoft can get your passwords via web browser's spellcheck
Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information and in some cases, passwords, to Google and Microsoft respectively.
In cases where Chrome Enhanced Spellcheck or Edge's Microsoft Editor were enabled, "Basically anything" entered in form fields of these browsers was transmitted to Google and Microsoft.
"Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII, including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company's enterprise credentials to internal assets like databases and cloud infrastructure."
With enhanced spellcheck enabled, and assuming the user tapped "Show password" feature, form fields including username and password are transmitted to Google at the googleapis.com.
"The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily. To further ensure user privacy, we will be working to exclude passwords proactively from spell check," continued Google in its statement shared with us.
As an added safeguard, Chrome and Edge users can turn off Enhanced Spell Check or remove the Microsoft Editor add-on from Edge until both companies have revised extended spellcheckers to exclude processing of sensitive fields, like passwords.