An unpleasant discovery was made public by a security researcher. The Google Chrome browser, as well as the Chromium-based Microsoft Edge browser, in some cases transmit personal data from forms to Google and Microsoft respectively.
This includes passwords. Browsers' Extended spell checker is the main culprit.
The research team at Otto, a security company specializing in JavaScript (otto-js.com), examined the two browsers Google Chrome and Microsoft Edge and made the unpleasant discovery that both browsers can transmit the user's personal data at Google and Microsoft.
The data in question is form data that the user must enter when visiting websites in the browser.
These can be usernames, email addresses, social security numbers, etc., but also passwords. Normally, this data should only be transmitted to the website visited by the respective user. However, with the Advanced Spell Check feature, which can be enabled in Google Chrome, these entries are transmitted to Google for verification. Something similar happens in Microsoft Edge. In a post published on September 16, 2022, the security researchers state:
Chrome's enhanced spellcheck and Edge's MS editor (enhanced spellcheck and MS Editor) send data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, from websites you connect to when these features enabled. If you click “show password”, the improved spell checker even sends your password.
The team documented an example with a link to the Alibaba website in its blog post.
Protection
Chrome browser users have the option to disable the Advanced Spell Check feature from Chrome Settings in Sync and Google Services (use the internal address chrome://settings/?search=Enhanced+Spell+Check).
For Edge, Microsoft Editor's spell and grammar checker is a browser add-on that must be uninstalled.