Enhanced spellcheckers like Microsoft Editor in Edge can transmit password info
2 min. read
Published on
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
Researchers at JavaScript security company otto-js, while testing script behaviors detection, noticed something unusual: enhanced spellcheckers, like the Enhanced Spellchecker in Google’s Chrome (off by default, needs to be turned on), or Microsoft’s Editor (an Edge plugin, needs to be installed), send potentially personal identifiable information (PII) to servers at Google and Microsoft, respectively.
What’s more, if users take advantage of the “Show Password” option, then passwords themselves can be transmitted, as well.
The info, potentially anything entered in form fields while these enhanced spell checkers are on, is only sent temporarily to Google, the company said:
“The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily. To further ensure user privacy, we will be working to exclude passwords proactively from spell check.”
In addition, turning on Enhanced Spell Checker in Chrome states that “(t)ext that you type in the browser is sent to Google.”
Both Microsoft and Google use company servers to perform the enhanced spellchecks, but in doing so may be opening up attack vectors that users may not be aware of.
You can read more about the research conducted by otto-js in their blog post.
