Home Latest Google servers could get your passwords if you use enhanced spell check...

Google servers could get your passwords if you use enhanced spell check in Chrome – Android Police


This is only an issue when you use ‘show password’ on sites that don’t conform to best practices
Google Chrome is filled to the brim with useful features, like spell check. Other than the standard spell check, Chrome also offers “enhanced spell check.” When you want to enable it, Google notes that whatever you type in the browser will be sent to the company’s servers to run it through advanced grammar and style algorithms. This already makes clear that you probably shouldn’t enable it when you’re concerned about data security, and an investigation has confirmed exactly this. Under certain circumstances, your passwords and usernames could be sent to Google's spell-checking servers during login processes.
An investigation by otto-js (via Bleeping Computer) has uncovered that passwords you type into login masks could be sent to Google servers when you use the “reveal password” feature. This is an option on many websites that’s supposed to make it easier to fill in passwords as it allows you to see what you’re typing in plain text. However, this also means that Chrome’s usual privacy protection doesn’t work as this password text could be treated as regular text that’s meant to be spell checked. Websites can prevent this from happening by adding a “spellcheck=false” HTML attribute to the field in question, but as Bleeping Computer and otto-js show, this is something that a lot of websites neglect, including Big Tech sites like Facebook.
LastPass was also one of the companies to be affected by this loophole. After being contacted by otto-js, the security company fixed the problem by introducing the “spellcheck=false” attribute to its input field.
When asked by Bleeping Computer, Google explained that enhanced spell check is only enabled on an opt-in basis, and people are warned that it means all their input data is sent off to servers. This already limits who is affected by the problem in the first place. The company then went on to make clear that it is aware that the data may sometimes be sensitive, so text isn’t attached to any user identity and only stored and processed on Google’s servers temporarily. The company further vowed to improve its own processes to exclude passwords from being processed proactively.
The investigation also found the Microsoft Editor browser extension to be guilty of the same issue. This is to be expected, as the Microsoft service also relies on cloud-based processing to offer enhanced spelling, style, and grammar checks.
Given that both Microsoft and Google are explicit about text you type being sent to their servers, we don’t think that anyone should be surprised that under the right circumstances, their passwords might be sent alongside other text they type. It’s clear that both spell checkers shouldn’t be used if you routinely handle confidential information, too, as you hand over access to everything you type to a party that is out of your control, even if both offer good privacy policies. It’s good that this investigation has brought to light some of the issues with cloud-based spell checking, but it really should be something that one could anticipate with a cloud-based spell checker.
If you’re already using one of many great password managers, you should be in the clear, too, even when you use Chrome’s enhanced spell check or Microsoft Editor. After all, you will only ever copy and paste passwords or use an autofill extension. The only thing you need to be aware of here is that there are also tools that sync your clipboard across your devices. If you use any of these, it’s possible that your passwords could show up in places you don’t expect them to as well, including some company’s server.
Manuel Vonau joined Android Police as a freelancer in 2019 and has worked his way up to become the publication’s Google Editor. He focuses on Android, Chrome, and other software Google products — the core of Android Police’s coverage. He is based in Berlin, Germany. Before joining Android Police, Manuel studied Media and Culture studies in Düsseldorf, finishing his university “career” with a master’s degree. This background gives him a unique perspective on the ever-evolving world of technology and its implications on society. He isn’t shy to dig into technical backgrounds and the nitty-gritty developer details, either. His first steps into the Android world were plagued by issues. After running into connectivity problems with the HTC One S, he quickly switched to a Nexus 4, which he considers his true first Android phone. Since then, he has mostly been faithful to the Google phone lineup, though these days, he is also carrying an iPhone in addition to his Pixel 6. This helps him gain perspective on the mobile industry at large and gives him multiple points of reference in his coverage. Outside of work, Manuel enjoys a good film or TV show, loves to travel, and you will find him roaming one of Berlin’s many museums, cafés, cinemas, and restaurants occasionally.


Previous articleHBO Max Schedule Additions: New TV & Movies Arriving September 19-25 – ComingSoon.net
Next articleJoe Biden’s Big Month – The New Yorker
Ashlyn is a young communications professional with disciplined training and apt exposure. He has been a voice for a number of media houses in the country and overseas. Travel, Technology, Consumer, Real Estate and Healthcare have been his main areas of practice using conventional messaging with effective digital strategies.