Read more: How to prevent the leakage of personal data by applications?
Discovering the data leak
It was Josh Summitt, co-founder and CTO of Otto-JS who discovered all this and warned that these spell check features are often active even if users are unaware.
Both browsers have built-in basic spell checking enabled by default and do not transmit data back to Google or Microsoft. However, Chrome’s ‘Enhanced Spellcheck’ extension and Edge’s ‘Microsoft Editor’ are optional add-ons.
That said, users do need to explicitly authorize, and while it’s obvious that their data will be sent back to both companies to improve the product, it’s not so obvious that this might include their PII.
Access to all online data
The security firm said that Chrome and Edge, working in tandem with most text fields on a web page, can access “basically anything”.
This means that all data entered online, including your date of birth, payment details, contact information, logins and passwords can be sent back to Google and Microsoft browsers.
Summitt even said that if the “show password” option is enabled, the feature will still be pushed to third-party servers. Bleeping Computer reports that it found that Chrome was used to broadcast usernames to SSA.gov, Bank of America, and Verizon, and passwords were also exposed to CNN and Facebook in this way.
What would be the solution?
One way to minimize exposure is for web developers to include a detail called “spellcheck=false” in all input fields that might require sensitive information.
Thus, this will effectively block these fields in the browsers spell checker, although it means spell checking will be disabled for these entries.