A JavaScript security company found that sensitive information entered into the forms of Chrome and Edge browsers is sent respective company’s server if the advanced spellcheck feature is enabled.

It’s the Enhanced Spell Checker in Chrome and Microsoft Editor in Edge browser that collects the data and transmits it back to the respective company’s server. Data include all sensitive information, including the passwords entered in login forms. Although there’s a way to disable this.

Sucking Passwords With Spellcheck On

Google with its Chrome and Microsoft with its Edge are the two more prominent browsers we have today, serving most of the web requests daily. While they’re known to be owning some of our data for ads, it’s intriguing to learn that they can suck more sensitive data – including the passwords – when the advanced spellcheck feature is on.

As per Josh Summitt, co-founder & CTO of JavaScript security firm otto-js, who discovered this issue, the data sucked up by Google or Microsoft depends on the website you’re visiting in, and most importantly – it happens only when the Microsoft Editor in Edge or Enhanced Spell Checker in Chrome is on.

Though Chrome and Edge provide basic spellcheck support – which doesn’t collect any data, it’s the advanced spellcheck features that suck the data enterer in the forms of browsers. Users turn these features on to correct their spelling mistakes and be more understandable.

Based on the otto-js report, the data taken in this process include all types of PII, including but not limited to Social Security Numbers (SSNs), names, addresses, email, date of birth (DOB), contact information, bank and payment information, and so on – depending on the website.

And in the case when the user enables ‘show password‘ – to make sure he’s entering the right one – the browser sucks in the entered password too to its server. Though all this data is transmitted through an HTTPS pipeline, it’s unknown how well the data is protected at Google’s or Microsoft’s servers.

Summit has explained this behavior with the example of the user entering credentials on Alibaba’s Cloud and finding the data entered sent to googleapis.com. Well, Google defended this by saying that “The Enhanced spell check feature requires an opt-in from the user,” to BleepingComputer, which is true, as it explicitly mentions to be collecting data when the Enhanced Spell Checker is on.

Although, there’s a workaround. Users can turn this behavior off even with advanced spellcheck on. All you need to do is to copy-paste the following link in your address bar and set the choose option to FALSE – like “spellcheck=false“.


AWS and LastPass have mitigated this behavior by setting the command to false from their end, while other major websites are yet to act on it.


Please enter your comment!
Please enter your name here