from the yore-sew-rite! dept.
If you like to be thorough and use an advanced spellchecker, we have some bad news — your personal information could be in danger.
Using the extended spellcheck in Google Chrome and Microsoft Edge transmits everything you input in order for it to be checked. Unfortunately, this includes information that should be strictly encrypted, such as passwords.
“If you click on ‘show password,’ the enhanced spellcheck even sends your password, essentially spell-jacking your data,” said otto-js in its report. “Some of the largest websites in the world have exposure to sending Google and Microsoft sensitive user PII [personally identifiable information], including username, email, and passwords, when users are logging in or filling out forms. An even more significant concern for companies is the exposure this presents to the company’s enterprise credentials to internal assets like databases and cloud infrastructure.”
Many people use “show password” in order to make sure they haven’t made a typo, so potentially, a lot of passwords could be at risk here. Bleeping Computer tested this further and found that entering your username and password on CNN and Facebook sent the data to Google, while SSA.gov, Bank of America, and Verizon only sent the usernames.
[...] If you’d rather not have your personal data transmitted to Microsoft and Google, you should stop using the advanced spellchecker for the time being. This means disabling the feature in your Chrome settings. Simply copy and paste this into your browser’s address bar: chrome://settings/?search=Enhanced+Spell+Check.
For Microsoft Edge, the advanced spellchecker comes in the form of a browser add-on, so simply right-click the icon of that extension in your browser and then tap on Remove from Microsoft Edge.