Google, Microsoft can get your passwords via web browser's spellcheck

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/

Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively.

While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields.

Both Chrome and Edge ship with basic spellcheckers enabled. But, features like Chrome's Enhanced Spellcheck or Microsoft Editor when manually enabled by the user, exhibit this potential privacy risk.

When using major web browsers like Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, should enhanced spellcheck features be enabled.

Depending on the website you visit, the form data may itself include PII—including but not limited to Social Security Numbers (SSNs)/Social Insurance Numbers (SINs), name, address, email, date of birth (DOB), contact information, bank and payment information, and so on.

Josh Summitt, co-founder & CTO of JavaScript security firm otto-js discovered this issue while testing his company's script behaviors detection.

In cases where Chrome Enhanced Spellcheck or Edge's Microsoft Editor (spellchecker) were enabled, "basically anything" entered in form fields of these browsers was transmitted to Google and Microsoft.

"Furthermore, if you click on 'show password,' the enhanced spellcheck even sends your password, essentially Spell-Jacking your data," explains otto-js in a blog post.

Google, Microsoft can get your passwords via web browser's spellcheck

Enhanced Spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively.

www.bleepingcomputer.com

 

[Sorrento]

Thanks: Unenabled enhanced spell check in MS Edge, wasn't enabled in Brave.

 

[HarborFront]

Besides this any other ways that MS and Google can get our passwords?

 

[show-Zi]

Enhanced Spellcheck (for information gathering)

 

[oldschool]

Enhanced Spellcheck (for information gathering)

I've never had this kind of feature enabled in any browser. Most features that purport to make browsing "easier" are just that, i.e. data harvesting, security or privacy risks, etc.

 

[n8chavez]

This is yet another reason to use Firefox and Keepass.

 

[oldschool]

This is yet another reason to use Firefox and Keepass.

MV3 is also very problematic in terms of security in regards to password managers, among other things.
Browser Add-on - Google’s Manifest V3 Still Hurts Privacy, Security, and Innovation

Users may also want to check out some other references in that thread.

 

[Sorrento]

Seems is not enabled by default in Brave but is in Edge.

 

[show-Zi]

I've never had this kind of feature enabled in any browser. Most features that purport to make browsing "easier" are just that, i.e. data harvesting, security or privacy risks, etc.

I agree. What is convenient for users is also convenient for attackers.

 

[Ink]

Besides this any other ways that MS and Google can get our passwords?

Not limited to, and potentially from other lesser known spell checker extensions on the Chrome Web Store.


Here's what Grammarly says about their product.

https://support.grammarly.com/hc/en-us/articles/360003816032-Is-Grammarly-a-keylogger-

https://support.grammarly.com/hc/en-us/articles/115003339991-What-Apple-s-full-access-warning-actually-means