The advanced spell checker for Chrome and Edge can ensure that sensitive data is forwarded to Google and Microsoft servers, respectively. This is undesirable, especially in the case of login forms, although developers can prevent this quite easily.

In both browsers, users can choose between basic and advanced spell checking functionality, in the latter case all visible text is redirected to the respective companies’ servers, so otto-js researchers discovered. In such cases, the text is checked centrally by algorithms for spelling and grammatical errors. In Chrome, this feature is called Extended Spell Checking. In Edge, the same feature is called Microsoft Editor. Last year, a privacy expert at A . warned Interview with Tweakers Already for the job.

The researchers found that all visible text containing such a spelling checker is redirected for processing, which should come as no surprise to many. But this includes, in addition to general texts, bank details and email addresses, possible passwords also when using the “Show password” function on the login page.

The researchers stress that it is not clear to what extent the advanced spell-checker, on the other hand, poses any additional privacy risks. “It is not clear whether or not the data will be stored. (…) It is also unclear whether the data is treated with the same security considerations as known sensitive data such as passwords, or, for example, by the product team as data Descriptive algorithms optimization”.

In any case, it would be very easy for website developers to prevent the flow of sensitive data information to Google or Microsoft servers. By disabling the ability to spell-check sensitive fields with HTML code spellcheck=false The problem will be solved.