A team at the JavaScript security firm otto-js were testing script detection when they found the unusual activity. Furthermore, if users access the “Show Password” option when entering their password, this information is also sent to the companies. It seems anything put into a form when the spellcheckers are active will be sent. However, the researchers say Google only receives the information temporarily: “The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily. To further ensure user privacy, we will be working to exclude passwords proactively from spell check.”
It is worth noting that Enhanced Spellchecker in Chrome is off by default. Users must enable it if they want to use it. In Microsoft Edge, the Microsoft Editor suite is not available by default. Instead, users must install it to the browser. In Chrome, Google tells users that “(t)ext that you type in the browser is sent to Google.” It is likely Microsoft has similar language around the Editor. However, the security researchers warn this practice could open attack avenues for threat actors. It is worth checking out the full research on the otto-js blog.
Microsoft Editor
If you’re unfamiliar with Editor, it made its debut with the launch of Microsoft 365 Personal and Family early in 2020. Launched on Microsoft Word, the feature later become available on other Microsoft Office apps and web browsers. The Editor feature is available for free. However, advanced grammar suggestions, writing refinement tips, and spell checking are limited to Microsoft 365 subscribers. Tip of the day: With many reachable wireless access points popping up and disappearing again, the available networks list can become quite annoying. If needed you can use the allowed and blocked filter list of Windows to block certain WiFi networks or all unknown WiFi networks.