Skip to main content

Your browser’s spell check feature could be giving away your passwords

Holographic login above laptop keyboard
(Image credit: Song_about_summer / Shutterstock)

Typos in your emails and documents can make you look unprofessional, which is why many people depend on spell check. However, Enhanced spell check in Google Chrome and Microsoft Edge can send your personally identifiable information (PII) and sometimes even your passwords to either company.

As reported by BleepingComputer (opens in new tab), both browsers ship with basic spell check features enabled. Those who want extra spell check functionality though can enable Enhanced spell check in Chrome’s settings or add the browser extension Microsoft Editor Spelling & Grammar Checker (opens in new tab) to Edge.

When using either tech giant’s browser, the data you input in forms is transmitted back to the company. Depending on which sites you visit, this form data may include your Social Security number, name, address, email, date of birth, contact information, bank and payment information or other sensitive personal data.

Enhanced spell check

how to write a blog post

(Image credit: Shutterstock)

Co-founder and CTO of the JavaScript security firm otto-js, Josh Summit recently discovered that personal information as well as passwords are sent back to Microsoft and Google when using Enhanced spell check or Microsoft Editor.

While testing his company’s script behavior detection, Summit found that “basically anything” entered into a site’s form fields is sent to either Google or Microsoft when using Chrome or Edge with this feature enabled.

To make matters worse, when a user clicks on “show password” on a site, enhanced spell check also sends their passwords back to the company whose browser they’re using. Show password can be really useful, especially when you think you’ve misspelled one of your passwords.

Summit provided further insight on his findings in a blog post (opens in new tab), saying:

“Chrome's enhanced spellcheck & Edge's MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you're logging into from either of those browsers when the features are enabled. Furthermore, if you click on "show password," the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.”

How to turn off Enhanced spell check

If you’re concerned about your personal information or passwords falling into the wrong hands from using Enhanced spell check in your browser, you should first check to see whether or not the feature is enabled.

In Chrome, you can do this by clicking on the three dots menu in the upper right corner and opening Settings. With the browser’s settings menu open, just type spell check into the search box at the top. You’ll see a page like the one pictured below and if Enhanced spell check is enabled, just click on Basic spell check to disable it. 

Google Chrome spell check settings

(Image credit: Google)

Fortunately, you need to opt-in to using Enhanced spell check feature in Chrome according to a support document (opens in new tab) from Google. This means that unless you turned it on manually, the feature will be disabled by default.

Disabling Enhanced spell check in Edge is even easier since you need to install the Microsoft Editor add-on for the browser to use it in the first place. If you didn’t download and install this add-on, then there’s nothing for you to do. If you have though, you may one consider disabling it which you can do by clicking on the three dots menu and heading to Extensions.

Even if you’re one of the worst typists out there, the basic spell check feature built-in to both browsers should be more than enough to fix any errors you make while typing. Also, if you want to protect your passwords further, you may want to consider using one of the best password managers to create strong passwords for you and store them securely.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • casey@otto-js
    otto-js also offers a free Chrome extension that will alert users when they are visiting a website that has the risk of data leaks caused by enhanced spellcheck: https://chrome.google.com/webstore/detail/otto-javascript-security/lcmaikahgebmdmnckjbaikfllpmgabei
    Reply