The Spell Checker in Your Web Browser Could Have Leaked Your Passwords

But it probably isn’t the browser’s fault

  • The extended spell checkers in Google Chrome and Microsoft Edge transmit everything typed inside a text box, including passwords, to their servers.
  • While the browsers could probably have taken steps to avoid this, the fault also lies with websites, which could have disabled the spell checker in certain text boxes.
  • The incident serves as a reminder of our dependence on cloud-connected services, warn privacy advocates.
Human hand holding asterisk representing a hidden password

Boris Zhitkov / Getty Images

The security community has long argued that people can't always have both convenience and privacy, especially on the internet, and they have one more example to hammer home the point.

Josh Summitt, co-founder & CTO of JavaScript security firm otto-js, discovered that under specific but common conditions, the extended spell checkers in Google Chrome and Microsoft Edge leak sensitive information to their respective companies. 

"This incident is indicative of what we have seen in the industry for years, teaching us nothing that we haven't already gleaned from past experiences," Alon Nachmany, Field CISO, AppviewX, told Lifewire over email. "If anyone is under the impression that Chrome, Gmail, or even Google's search engine is Google's product, they are naive and incredibly mistaken. We are Google's product."

Wrong Approach

Both browsers include basic spell checking features, which are enabled by default and don't transmit data back to Google or Microsoft. However, Summitt found that when Chrome's 'Enhanced Spellcheck' and Edge's 'Microsoft Editor' are enabled, they transmit anything you type in a textbox, including usernames, email addresses, social security numbers, and more. Worryingly, if you click the "show password" toggle to verify if you've entered the right password, the enhanced spell checkers will even transmit your password.

According to tests by Bleeping Computer, the enhanced spell checker transmitted credentials to Google from several websites, including Facebook,, Bank of America, and Verizon.

"Although it may seem basic, input fields on a page are not always straightforward for the browser to interpret its use," pointed out Nachmany, stressing that it's a task best left to the websites rather than browsers.

Adding to this, Brian Chappell, Chief Security Strategist, EMEA & APAC, at BeyondTrust, says the show password feature on many websites is locally implemented by the site itself. 

"This isn't a case of Google's Chrome not reacting correctly to a password field, but rather it's the browser reacting correctly to a textbox that hasn't been marked as exempt for spell checking," said Chappell. "Resolving this will lie with each website that's offering this functionality."

Chappell assures people that the concern for both browsers relates to enhanced services and not the default spell checking, which is enabled by default. At the same time, he feels Google and Microsoft could do a better job of alerting users that personally identifiable information (PII) might be transmitted to their servers, as they enable their respective enhanced spell checkers while sharing details about how this data will be processed and secured.

Too Many Clouds

Taking a step back, and looking at the larger issue, Esther Payne, privacy advocate and community manager at the Librecast Project, believes we've gotten used to interacting with hosted services but don't fully comprehend the consequences.

"Why did the spell checker need to communicate back to base in the first place? For spell checking, why weren't the dictionaries local?" Payne asked rhetorically in an email exchange with Lifewire.

This incident is indicative of what we have seen in the industry for years, teaching us nothing that we haven’t already gleaned from past experiences.

In the same vein, Nachmany cautions people against browser extensions that use artificial intelligence to spell check, grammar check, or even help us write. Asking us to ponder where those recommendations are coming from, he stresses that the onus for protecting our data lies firmly on us.

"Chrome, Gmail, and the Google search engine are merely tools to collect information and maintain the ability to reach us," said Nachmany. "The reality is, having too much privacy can hurt Google's bottom line and, like most tech companies, they must walk the fine line between security and privacy on a daily basis."

Although he believes the companies will take steps to address this issue, he's also sure other concerns will come to fruition going forward. 

The root of the problem for these intermittent issues, Payne believes, lies solely with the approach to development at the tech giants during their formative years.

"The earlier culture of "move fast, break things" doesn't just disrupt systems, it puts private information at risk," said Payne.

Was this page helpful?