Google Chrome has a number of useful functions, one of which is the spell checker. In addition to the standard spell check, Chrome also offers an “enhanced spell check” (Enhanced Spellcheck). If you want to enable it, you should know that anything you enter in the browser can be sent to the company’s servers to go through advanced grammar and spelling algorithms.
Under certain circumstances, even your passwords and usernames during the login process may be sent to Google’s spell-checking servers. Depending on the website you visit, other personally identifiable information (PII), including name, address, email address, date of birth, contact information, payment information, and more, may be sent to the servers.
An investigation conducted by Josh Summitt, co-founder and CTO of the company otto-js, revealed that passwords you enter in Google Chrome can be sent to Google servers when you use the “password reveal” feature. This is an option on many websites that should make it easier to enter the correct password because it allows you to see what you’re typing as plain text. This means that Chrome’s usual privacy protections don’t work because this password text can be treated as plain text that needs to be spell-checked.
Websites can prevent this from happening by adding the HTML attribute “spellcheck=false” to the field in question, but investigation has shown that this is something many websites overlook, including big sites like Facebook.
To check if enhanced spell check is enabled in your Chrome browser, copy the link: chrome://settings/?search=Enhanced+Spell+Check into the address bar. From there you can turn this option on or off.
You’ll also see there that it explicitly states that when enhanced spell checking is enabled, “the text you enter in the browser is sent to Google.”
When asked by Bleeping Computer, Google explained that enhanced spell checking is only enabled when the user opts in, and that people are warned that this means that all their input is sent to servers. This already limits the number of those affected by the problem at all. The company clarified that it is aware that data can sometimes be sensitive, so the text is not linked to the user and is only temporarily stored and processed on Google’s servers. The company has promised to work to exclude passwords from spell checking.
As for Microsoft Edge, the investigation revealed that the Microsoft Editor Spelling & Grammar Checker browser plug-in has the same problem. But this plugin must be installed separately. This should also come as no surprise, as Microsoft’s spell-checking service also relies on cloud-based processing.
LastPass also had this bug. After otto-js contacted the company, the issue was resolved by introducing the “spellcheck=false” attribute in the password input field.
Given that both Microsoft and Google explicitly say that the text you type is sent to their servers, no one should be surprised that passwords could end up on the companies’ servers under certain circumstances. Still, it’s good that this investigation has brought to light some problems with spell checking.
Source: Informacija.rs by www.informacija.rs.
*The article has been translated based on the content of Informacija.rs by www.informacija.rs. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!