An unpleasant discovery was made public by a security researcher. The Google Chrome browser, as well as the Chromium-based Microsoft Edge browser, in some cases transmit personal data from forms to Google and Microsoft respectively.
This includes passwords access. Browsers' Extended spell checker is the main culprit.
The research team at Otto, a company ασφαλείας που ειδικεύεται στο JavaScript (otto-js.com), εξέτασε τα δύο programs browser Google Chrome and Microsoft Edge and made the unpleasant discovery that both browsers can transfer the user's personal data to Google and Microsoft.
The data in question is form data that the user must enter when visiting websites in the browser.
These can be usernames, email addresses, social security numbers, etc., but also passwords. Normally, this data should only be transmitted to the website visited by the respective user. However, with the Advanced Spell Check feature, which can be enabled in Google Chrome, these entries are transmitted to Google for verification. Something similar happens in Microsoft Edge. In a post published on September 16, 2022, the security researchers state:
Chrome's improved spell checker and program processingEdge's MS (enhanced spellcheck and MS Editor) send data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, from websites you connect to when these features are enabled. If you click “show password”, the improved spell checker even sends your password.
The team documented an example with a link to the Alibaba website in its blog post.
Protection
Chrome browser users have the option to disable the Advanced Spell Check feature from Chrome Settings in Sync and Google Services (use the internal address chrome://settings/?search=Enhanced+Spell+Check).
For Edge, Microsoft Editor's spell and grammar checker is a browser add-on that must be uninstalled.