Spell-checking feature in web browsers can transmit your password to Google and Microsoft

Many of us click the “show-password” option more often to check spelling to get it accurate. The server also sometimes warns us when the password does not match. The recent study held by Josh Summit has produced some threatening results regarding this spellcheck feature.


This feature transmits the form data to google and Microsoft, leaving its operators vulnerable to the situation. It might often also transfer personally identifiable information (PII). The well-intended element of these web browsers may concern many parties.

As it leaves its users doubtful of the feature, many of us have enabled the feature to save time by simply copying and pasting the password and double-checking the spelling. It raises concerns about what happens if our data gets transmitted and how to protect it, especially when it's regarding the password field.

Chrome and Edge ship contain the feature of spellchecking in the setting. Both apps facilitated these features, but they can only function manually. The users enabled the feature to save time. Yet, it leads to harmful ways of transmitting the data.

Once the feature is enabled, it automatically transfers the data to google and Microsoft. Josh Summit, co-founder and CTO of JavaScript, detected this fault while running some tests. The research reported that 73% of these sites and groups transmit the data to a third party if you click the show-password feature.

He further elaborated that once the feature is enabled, it could transfer the PII information along with Social Security numbers (SSNs), name, address, date of birth, bank, and payment material.

However, the form data is said to be happening securely over HTTPS. Google is also working to secure its community’s well-being by eliminating the spellcheck feature. As for now, we can put out of action this Enhance spellcheck feature by going to settings and turning it off.

Moreover, the spellchecking feature on google explicitly says that the text you type in the browser is sent to google. However, it is made clear that google does not transfer the data to any third party but instead processes it on the server temporarily.

Furthermore, Google is proactively working to remove the password from spellchecking to ensure the safety of the operators. It is said that both AWS and LastPass have mitigated the issue by simply asking their users to put the HTML attribute spellcheck=false.

This feature restricted the spellchecker from detecting the default log-in of the web browser. Most companies can also stop spell jacking by simply removing the ability to show passwords.

Although spell jacking could be possible even after deleting the feature, it could prevent passwords from being sent. The Otto-js team has reached out to Microsoft 365, Alibaba Cloud, Google Cloud, AWS, and LastPass to look into the matter and safeguard their customer’s privacy.

Source: https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/
Previous Post Next Post