This is only an issue when you use ‘show password’ on sites that don’t conform to best practices
Google Chrome is filled to the brim with useful features, like spell check. Other than the standard spell check, Chrome also offers “enhanced spell check.” When you want to enable it, Google notes that whatever you type in the browser will be sent to the company’s servers to run it through advanced grammar and style algorithms. This already makes clear that you probably shouldn’t enable it when you’re concerned about data security, and an investigation has confirmed exactly this. Under certain circumstances, your passwords and usernames could be sent to Google’s spell-checking servers during login processes.
An investigation by otto-js (via Bleeping Computer) has uncovered that passwords you type into login masks could be sent to Google servers when you use the “reveal password” feature. This is an option on many websites that’s supposed to make it easier to fill in passwords as it allows you to see what you’re typing in plain text. However, this also means that Chrome’s usual privacy protection doesn’t work as this password text could be treated as regular text that’s meant to be spell checked. Websites can prevent this from happening by adding a “spellcheck=false” HTML attribute to the field in question, but as Bleeping Computer and otto-js show, this is something that a lot of websites neglect, including Big Tech sites like Facebook.
LastPass was also one of the companies to be affected by this loophole. After being contacted by otto-js, the security company fixed the problem by introducing the “spellcheck=false” attribute to its input field.
When asked by Bleeping Computer, Google explained that enhanced spell check is only enabled on an opt-in basis, and people are warned that it means all their input data is sent off to servers. This already limits who is affected by the problem in the first place. The company then went on to make clear that it is aware that the data may sometimes be sensitive, so text isn’t attached to any user identity and only stored and processed on Google’s servers temporarily. The company further vowed to improve its own processes to exclude passwords from being processed proactively.
The investigation also found the Microsoft Editor browser extension to be guilty of the same issue. This is to be expected, as the Microsoft service also relies on cloud-based processing to offer enhanced spelling, style, and grammar checks.
Given that both Microsoft and Google are explicit about text you type being sent to their servers, we don’t think that anyone should be surprised that under the right circumstances, their passwords might be sent alongside other text they type. It’s clear that both spell checkers shouldn’t be used if you routinely handle confidential information, too, as you hand over access to everything you type to a party that is out of your control, even if both offer good privacy policies. It’s good that this investigation has brought to light some of the issues with cloud-based spell checking, but it really should be something that one could anticipate with a cloud-based spell checker.
If you’re already using one of many great password managers, you should be in the clear, too, even when you use Chrome’s enhanced spell check or Microsoft Editor. After all, you will only ever copy and paste passwords or use an autofill extension. The only thing you need to be aware of here is that there are also tools that sync your clipboard across your devices. If you use any of these, it’s possible that your passwords could show up in places you don’t expect them to as well, including some company’s server.