Home Web information The spell check function of web browsers may transmit your password to Google and Microsoft / Digital Information World

The spell check function of web browsers may transmit your password to Google and Microsoft / Digital Information World


Many of us click the “show password” option more often to check spelling and accuracy. The server also sometimes warns us when the password does not match. The recent study conducted by Josh Summit produced menacing results regarding this spell checking feature.

This feature passes form data to Google and Microsoft, leaving its operators vulnerable to the situation. It can also often transfer personally identifiable information (PII). The well-meaning element of these web browsers can affect many parties.

As this leaves its users dubious about the functionality, many of us enabled the feature to save time by simply copying and pasting the password and checking the spelling. This raises concerns about what happens if our data is passed on and how to protect it, especially in relation to the password field.

Both Chrome and Edge ships contain the spell check feature in the settings. Both apps have facilitated these features, but they can only work manually. Users have enabled the feature to save time. Yet, this leads to harmful means of data transmission.

Once the feature is activated, it automatically transfers data to Google and Microsoft. Josh Summit, co-founder and CTO of JavaScript, detected this flaw while running some tests. The research revealed that 73% of these sites and groups pass the data to a third party if you click on the Show password function.

He further explained that once the feature is enabled, it could transfer PII information along with Social Security Numbers (SSN), name, address, date of birth, bank, and payment hardware.

However, the form data takes place securely over HTTPS. Google is also trying to ensure the well-being of its community by eliminating the spell check feature. For now, we can disable this enhanced spell checking feature by going to settings and turning it off.

Also, Google’s spellcheck feature explicitly indicates that text you type in the browser is sent to Google. However, it is specified that google does not transfer the data to third parties, but processes it temporarily on the server.

Additionally, Google is proactively working to remove the spell check password to keep operators safe. AWS and LastPass are said to have mitigated the problem by simply requiring their users to set the HTML attribute spellcheck=false.

This feature prevented the spell checker from detecting the web browser‘s default connection. Most companies can also stop spell jacking by simply removing the ability to display passwords.

Although spell jacking may be possible even after removing the feature, it could prevent passwords from being sent. The Otto-js team reached out to Microsoft 365, Alibaba Cloud, Google Cloud, AWS, and LastPass to look into the matter and protect their customers’ privacy.

Source: https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/