Google servers can get your passwords if you use Chrome Spell Checker Enhancement

This is only a problem if you use “show password” on sites that do not adhere to best practices

Google Chrome is packed to the brim with useful features such as spell checking. In addition to standard spell checking, Chrome also offers “improved spell checking”. When you want to turn it on, Google notes that whatever you type into your browser will be sent to the company’s servers to guide it through advanced grammar and stylistic algorithms. This already makes it clear that you probably shouldn’t turn it on when you’re concerned about data security, and the investigation has confirmed this exactly. Under certain circumstances, your passwords and usernames may be sent to Google’s spell checking servers during sign-in processes.


An investigation by otto-js (via Bleeping Computer) found that passwords that you enter into login masks can be sent to Google’s servers when you use the ‘reveal password’ feature. This is an option on many websites that is intended to make it easier for you to enter passwords as it allows you to see what you are typing in plain text. However, it also means that regular Chrome privacy protection does not work, as this password text can be thought of as plain text intended for spell checking. Websites can prevent this by adding the HTML attribute “spellcheck = false” to the field in question, but as Bleeping Computer and otto-js show, this is something that many sites, including Big Tech sites like Facebook, neglect.

LastPass was also one of the companies affected by this vulnerability. After contacting otto-js, the security company fixed the problem by entering the attribute “spellcheck = false” in the input field.

When asked by Bleeping Computer, Google explained that enhanced spell checking is only enabled on a consent basis, and people are warned that this means all their input is sent to the servers. This already limits who the problem is in the first place. The company then explained that it realizes that data can be sensitive at times, so the text is not appended to any user identity and is only temporarily stored and processed on Google’s servers. The company also promised to improve its own processes to rule out proactive password processing.

The investigation also found that the Microsoft Editor browser extension is to blame for the same issue. This is to be expected as Microsoft also relies on cloud computing to provide improved spelling, style, and grammar checking.

Given that both Microsoft and Google clearly say that typed text is sent to their servers, we don’t think it is surprising that, under the right circumstances, their passwords can be sent along with other typed text. It goes without saying that both spell checkers should not be used if you are also routinely dealing with confidential information as you are giving access to everything you write to someone who is beyond your control, even if both offer good privacy policies. It’s good that this investigation has revealed some issues with cloud spellchecking, but it really should be something to expect from a cloud spell checker.

If you already use one of the many great password managers, you should also be clear, even if you use the enhanced spell checker in Chrome or the Microsoft Editor. After all, you’ll only be copying and pasting passwords or using the autofill extension. The only thing you need to keep in mind is that there are also tools for syncing the clipboard across devices. If you use any of these options, it’s possible that your passwords will appear in places where you don’t expect them, including some company’s server.

Leave a Reply