Enhanced spellcheckers like Microsoft Editor in Edge can transmit password info

Reading time icon 2 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Researchers at JavaScript security company otto-js, while testing script behaviors detection, noticed something unusual: enhanced spellcheckers, like the Enhanced Spellchecker in Google’s Chrome (off by default, needs to be turned on), or Microsoft’s Editor (an Edge plugin, needs to be installed), send potentially personal identifiable information (PII) to servers at Google and Microsoft, respectively.

What’s more, if users take advantage of the “Show Password” option, then passwords themselves can be transmitted, as well.

The info, potentially anything entered in form fields while these enhanced spell checkers are on, is only sent temporarily to Google, the company said:

“The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily. To further ensure user privacy, we will be working to exclude passwords proactively from spell check.”

In addition, turning on Enhanced Spell Checker in Chrome states that “(t)ext that you type in the browser is sent to Google.”

Both Microsoft and Google use company servers to perform the enhanced spellchecks, but in doing so may be opening up attack vectors that users may not be aware of.

You can read more about the research conducted by otto-js in their blog post.

(via BleepingComputer)